Apple fixes zero-day spyware implant bug – patch now!

Credit to Author: Paul Ducklin| Date: Tue, 14 Feb 2023 13:08:32 +0000

Apple has just released updates for all supported Macs, and for any mobile devices running the very latest versions of their respective operating systems.

In version number terms:

  • iPhones and iPads on version 16 go to iOS 16.3.1 and iPadOS 16.3.1 respectively (see HT213635).
  • Apple Watches on version 9 go to watchOS 9.3.1 (no bulletin).
  • Macs running Ventura (version 13) go to macOS 13.2.1 (see HT213633).
  • Macs running Big Sur (version 11) and Monterery (12) get an update dubbed Safari 16.3.1 (see HT213638).

Oh, and tvOS gets an update, too, although Apple’s TV platform confusingly goes to tvOS 16.3.2 (no bulletin).

Apparently, tvOS recently received a product-specific functionality fix (one listed on Apple’s security page with no information beyond the sentence This update has no published CVE entries, implying no reported security fixes) that already used up the version number 16.3.1 for Apple TVs.

As we’ve seen before, mobile devices still using iOS 15 and iOS 12 get nothing, but whether that’s because they’re immune to this bug or simply that Apple hasn’t got round to patching them yet…

…we have no idea.

We’ve never been quite sure whether this counts as a telltale of delayed updates or not, but (as we’ve seen in the past) Apple’s security bulletin numbers form an intermittent integer sequence. The numbers go from 213633 to 213638 inclusive, with a gap at 213634 and gaps at 213636 and 213637. Are these security holes that will get backfilled with yet-to-be-released patches, or are they just gaps?

What sort of zero-day is it?

Given that the Safari browser has been updated on the pre-previous and pre-pre-previous versions of macOS, we’re assuming that older mobile devices will eventually receive patches, too, but you’ll have to keep your eyes on Apple’s official HT201222 Security Updates portal to know if and when they come out.

As mentioned in the headline, this is another of those “this smells like spyware or a jailbreak” issues, given that the all updates for which official documentation exists include patches for a bug denoted CVE-2023-23529.

This security hole is a flaw in Apple’s WebKit component that’s described as Processing maliciously crafted web content may lead to arbitrary code execution.

The bug also receives Apple’s usual euphemism for “this is a zero-day hole that crooks are already abusing for evil ends, and you can surely imagine what those might be”, namely the words that Apple is aware of a report that this issue may have been actively exploited.

Remember that WebKit is a low-level operating system component that’s responsible for processing data fetched from remote web servers so that it can be displayed by Safari and many other web-based windows programmed into hundreds of other apps.

So, the words arbitrary code execution above really stand for remote code execution, or RCE.

Installjacking

Web-based RCE exploits generally give attackers a way to lure you to a booby-trapped website that looks entirely unexceptionable and unthreatening, while implanting malware invisibly simply as a side-effect of you viewing the site.

A web RCE typically doesn’t provoke any popups, warnings, download requests or any other visible signs that you are initiating any sort of risky behaviour, so there’s no point at which attacker needs catch you out or to trick you into taking the sort of online risk that you’d normally avoid.

That’s why this sort of attack is often referred to as a drive-by download or a drive-by install.

Just looking at a website, which ought to be harmless, or opening an app that relies on web-based content for any of its pages (for example its splash screen or its help system), could be enough to infect your device.

Remember also that on Apple’s mobile devices, even non-Apple browsers such as Firefox, Chrome and Edge are compelled by Apple’s AppStore rules to stick to WebKit.

If you install Firefox (which has its own browser “engine” called Gecko) or Edge (based on a underlying layer called Blink) on your Mac, those alternative browsers don’t use WebKit under the hood, and therefore won’t be vulnerable to WebKit bugs.

(Note that this doesn’t immunise you from security problems, given that Gecko and Blink may bring along their own additional bugs, and given that plenty of Mac software components use WebKit anyway, whether you steer clear of Safari or not.)

But on iPhones and iPads, all browsers, regardless of vendor, are required to use the operating system’s own WebKit substrate, so all of them, including Safari, are theoretically at risk when a WebKit bug shows up.

What to do?

If you have an Apple product on the list above, do an update check now.

That way, if you’ve already got the update, you’ll reassure yourself that you’re patched, but if your device hasn’t got to the front of the download queue yet (or you’ve got automatic updates turned off, either by accident or design), you’ll be offered the update right away.

On a Mac, it’s Apple menu > About this Mac > Software Update… and on an iDevice, it’s Settings > General > Software Update.


If your Apple product isn’t on the list, notably if you’re stuck back on iOS 15 or iOS 12, there’s nothing you can do right now, but we suggest keeping an eye on Apple’s HT201222 page in case your product is affected and does get an update in the next few days.


As you can imagine, given how strictly Apple locks down its mobile products to stop you using apps from anywhere but the App Store, over which it exerts complete commercial and technical control…

…bugs that allow rogues and crooks to inject unauthorised code onto Apple phones are highly sought after, given that RCEs are about the only reliable way for attackers to hit you up with malware, spyware or any other sort of cyberzombie programming.

Which gives us a good reason, as always, to say: Don’t delay/Do it today.


http://feeds.feedburner.com/NakedSecurity

Leave a Reply