Apple on Thursday released urgent security updates for iPhones, iPads, Macs, Apple Watch, and Safari users to patch against three vulnerabilities that Apple says are being actively exploited.
The three vulnerabilities include a flaw in WebKit, the browser engine that powers Safari; a certificate validation bug that can allow a malicious app to run on an affected device; and a third bug that can be used to get broader access to the kernel, the core of the operating system. These three vulnerabilities form part of an exploit chain, where the bugs are used together to gain access to a target’s device.
The bug fixes come just days after the release of iOS 17, which includes a range of new security and privacy features aimed at limiting the risk from cyberattacks, such as spyware.
For its part, Apple said it is only aware of active exploitation targeting users running iOS 16.7 and earlier. Apple back-ported the bug fix to iOS 16.7, as well as older versions of macOS Ventura and Monterey, and watchOS.
The bugs were discovered by Maddie Stone, a researcher at Google’s Threat Analysis Group, which investigates state-backed threats, and Citizen Lab’s Bill Marczak. In blog posts published Friday, both Google and Citizen Lab confirmed that Apple’s latest updates were to block an exploit used to plant the Predator spyware on the phone of an Egyptian presidential candidate.
Predator is a spyware, developed by Cytrox, a subsidiary of Intellexa, that can steal the contents of a person’s phone when planted, often by way of spoofed text messages pointing to malicious websites. Both Cytrox and Intellexa were added to a U.S. government denylist earlier this year, effectively banning U.S. companies from doing business with them.
This is the second high-profile security update dropped by Apple this month. Earlier in September, Citizen Lab said it discovered evidence of a zero-click vulnerability on a fully up-to-date iPhone (at the time) to plant the Pegasus spyware, developed by NSO Group. The target was a person working for an unnamed Washington-based organization.
The vulnerability was used as part of an exploit chain that Citizen Lab named BLASTPASS, because it involved PassKit, a framework that allows developers to include Apple Pay in their apps.
Marczak, who was speaking at TechCrunch Disrupt on Thursday, said this vulnerability resulted from a failed attempt to hack this U.S.-based victim’s device.
“Because this attempt failed, the remnants of this zero-click exploit were left over on the phone,” Marczak said. “In this case, the root of the vulnerability was a bug in Google’s WebP image library, which is integrated into the iPhone. Attackers found some way to exploit this to run arbitrary code within Apple’s iMessage sandbox to install spyware on the system.”
Update your devices today.