Cybercriminals and “commercial” spyware developers frequently target iOS devices to carry out surveillance operations, data theft, and other nefarious actions. By identifying a weakness in Apple’s iOS WebKit, hackers can take advantage of security flaws like the one that Apple has fixed in their most recent version of the iPhone and iPad operating systems.
Apple has released a patched version of iOS and iPadOS that addresses a couple of severe security flaws. One of the vulnerabilities is already being exploited by unknown cybercriminals in the wild. The flaw may be part of well-known cybercrime services sold to some of the world’s most dangerous organizations and foreign states, based on the individuals Apple has thanked for the release of these zero-days.
Information about the two fixed bugs is included in the release notes of both iOS 16.3.1 and iPadOS 16.3.1. The first vulnerability, CVE-2023-23514, is described as a “use after free issue” addressed with improved memory management. A malicious app designed to exploit the bug could execute arbitrary code with kernel-level privileges.
The second vulnerability, known as CVE-2023-23529, is the most dangerous one. It is described as a “type confusion issue” in the WebKit browser engine that could be used to create a malicious web page for executing arbitrary code. Apple said it is aware that the issue may have already been actively exploited, which suggests that security researchers informed the company that the zero-day vulnerability is already being used in a malicious campaigns targeting iPhone and iPad users.
Apple thanked Xinru Chi of Pangu Lab, Ned Williamson of Google Project Zero, and an anonymous researcher for discovering the two vulnerabilities. Apple also acknowledged the help they received from The Citizen Lab at The University of Toronto’s Munk School in addressing the flaws.
The Citizen Lab group is well known for its research work on dangerous hacking tools created by the NSO Group and sold to government agencies and police forces worldwide. The Israeli company is infamous for creating Pegasus, multi-platform spyware software designed to exploit zero-day flaws such as CVE-2023-23529 for smartphone-based surveillance operations.
According to several reports, Pegasus has been used to target human rights activists and journalists, carry out state espionage in Pakistan, and conduct domestic surveillance against Israeli citizens. It also played a role in the murder of Jamal Khashoggi by agents of the Saudi government.
Given the involvement of Pegasus hunters at Citizen Lab and Apple’s current silence on the issue, CVE-2023-23529 could be yet another weapon discovered in the powerful arsenal of commercial spyware and surveillance tools routinely used to target dissidents around the world.