Apple has rolled out an out-of-cycle patch after Google and Citizen Lab discovered an exploit chain used in Intellexa’s Predator spyware.
The three exploited bugs are CVE-2023-41991, CVE-2023-41992, and CVE-2023-41993.
“Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.7”, Apple said in its advisory.
Google’s Threat Analysis Group explained that the exploit chain starts with CVE-2023-41993, a Safari bug that lets a man-in-the-middle (MITM) redirect HTTP (not HTTPS) traffic to an attacker-controlled website.
The attacker can then force remote code execution on the victim’s iPhone or iPad.
CVE-2023-41991, a pointer authentication code (PAC) vulnerability, was the second exploit in the chain. Google did not provide detail on how the PAC bug was exploited.
Finally, the attackers took advantage of CVE-2023-41992 to escalate their privilege in the kernel.
With the target device compromised, Google wrote, a small payload was run to decide whether or not to install “the full Predator implant”.
Google promises a full technical analysis of the exploit chain at some point in the future.
Apple attributes discovery of the vulnerabilities to Google Threat Analysis Group’s Maddie Stone and Bill Marczak of The Citizen Lab at Toronto University.
The Citizen Lab on Friday published a report saying Predator had been deployed against Egyptian MP Ahmed Eltantawy, who in August announced his intention to run as a candidate in the country’s 2024 presidential election.
The report said the MITM was implemented as “a device installed at the border of Vodafone Egypt’s network”.
The Citizen Lab got involved when Eltantawy started to suspect his phone had been attacked and asked the university group for assistance.
The lab also identified two websites used by the zero-day chain: sec-flare[dot] com, which hosted the attack code; and verifyurl[dot]me, contacted by the malware during the attack.
While Google was unable to “capture the full Predator implant”, enough code was analysed that The Citizen Lab attributed it to Predator “high confidence, based on comparing the payload with the 2021 sample of Predator we obtained.”
Google’s post added that it also observed a zero-day in Android that took advantage of CVE-2023-4762, which was patched earlier this month.
