On September 21, 2023, Apple released emergency security updates to fix three vulnerabilities impacting macOS, iOS, iPadOS, and Safari.
Vulnerability
|
Description
|
Impacted Product
|
CVE-2023-41991 |
A certificate validation issue in the WebKit engine could allow a malicious app to bypass signature validation. |
macOS, iOS, iPadOS, watchOS |
CVE-2023-41992 |
A flaw in the kernel could potentially allow a local attacker to elevate their privileges due to inadequate checks. |
macOS, iOS, iPadOS, watchOS |
CVE-2023-41993 |
Inadequate checks in the Security Framework could allow a threat actor to achieve arbitrary code execution via maliciously crafted web content. |
Safari, iOS, iPadOS |
Citizen Lab and Google Threat Analysis Group (TAG) observed these three vulnerabilities exploited in an exploit chain against a former Egyptian Member of Parliament to deploy Predator spyware. Predator was developed by Intellexa/Cytrox to perform surveillance on targeted mobile devices. Earlier in 2023, the US Government banned Intellexa and Cytrox as these companies were involved in activities that threatened national security by targeting high-profile individuals worldwide.
Apple products can be appealing targets for threat actors due to their potential to store sensitive company information. This presents a risk to organizations with a Bring Your Own Device (BYOD) policy that allow employees to use their personal devices, as security updates may not be strongly enforced.
Recommendation for CVE-2023-41991, 41992, 41993
Upgrade Apple Products to Fixed Version
Arctic Wolf strongly recommends upgrading affected Apple products to their respective fixed version. These updates can be performed by going to the device’s system settings and selecting “Software Update”.
Apple Product
|
Fixed Version
|
Safari (on macOS Big Sur and Monterey) |
|
iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later |
|
iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later |
|
Apple Watch Series 4 and later |
|
Apple Watch Series 4 and later |
|
macOS Ventura |
|
macOS Monterey |
Note: Citizen Lab urges all at-risk users to enable Lockdown mode as this has been confirmed by Apple’s Security Engineering and Architecture team that Lockdown Mode blocks this particular attack.
Please follow your organization’s patching and testing guidelines to avoid operational impact.