- 6 October، 2023
- Posted by:
- Category: Uncategorized
For the 18th time in 2023, Apple was forced to release an emergency security updates to patch a new zero-day security flaw exploited in attacks targeting iPhone and iPad users worldwide. Google & Microsoft were also forced to patch their services.
The libvpx bug forced Google to patch its Chrome web browser and Microsoft its Edge, Teams, and Skype products.
Due to the gravity of this matter, MLi Group chairman and Survivability News Publisher Mr. Khaled Fattal weighed in by saying:
“This is pure Geo-Poli-Cyber™ Warfare, it is unmitigated, and it is critically serious.
Top business, national and political decision makers and leaders need to wake up to this new reality and start rethinking their risk mitigation mind-sets that continue to fail them, their citizens and all stakeholders strategically and operationally.”
Fattal added, “Cyber Spy Targeting” is the what the MLi Group have labeled as the practice of creating such exploits for the purpose of spying on people. This is a direct threat to democracy, human rights, human dignity, and their values.“
Survivability News Aug 3, 2021 post about Pegasus Spyware. Click on Image to read the story.
In an advisory issued on Wednesday, Apple said, “Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.6,”
A senior MLi Group Geo-Poli-Cyber™ expert said, “In simple English this means that hackers became able to hack into Apple, Google and Microsoft devises and services and do whatever they wish as if they are the account holder themselves.” The expert added, “Bank accounts, content in messaging apps like WhatsApp, Messenger and others became accessible and readable as easy as eating cake.”
Fattal continued saying, ” ‘Cyber Spy Targeting’ is often perpetrated by national governments, security agencies (and/or their proxies), cyber criminals and cyber terrorist, amongst others.”
“It is often aimed at journalists, political opponents and activists. We usually see a rise in this during election periods to target ordinary citizens to design “Purposed Disinformation” social media and political campaigns to sway citizens to vote one way or another.” Fattal emphasized and concluded.
By July 2023, Apple had suffered its 10th Zero-Day Exploit. Click on image to read.
Citizen Lab disclosed two other zero-days (CVE-2023-41061 and CVE-2023-41064)—fixed by Apple last month—abused as part of a zero-click exploit chain (dubbed BLASTPASS) to infect fully patched iPhones with NSO Group’s Pegasus spyware.
The Technical Stuff.
The zero-day (CVE-2023-42824) is caused by a weakness discovered in the XNU kernel that enables local attackers to escalate privileges on unpatched iPhones and iPads.
While Apple said it addressed the security issue in iOS 17.0.3 and iPadOS 17.0.3 with improved checks, it has yet to reveal who found and reported the flaw.
The list of impacted devices is quite extensive, and it includes:
iPhone XS and later
iPad Pro 12.9-inch 2nd generation and later,
iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later,
iPad Air 3rd generation and later,
iPad 6th generation and later,
iPad mini 5th generation and later
Apple also addressed a zero-day tracked as CVE-2023-5217 and caused by a heap buffer overflow weakness in the VP8 encoding of the open-source libvpx video codec library, which could allow arbitrary code execution following successful exploitation.
The libvpx bug was previously patched by Google in the Chrome web browser and by Microsoft in its Edge, Teams, and Skype products.
CVE-2023-5217 was discovered by security researcher Clément Lecigne who is part of Google’s Threat Analysis Group (TAG), a team of security experts known for often finding zero-days abused in government-backed targeted spyware attacks targeting high-risk individuals.
17 zero-days exploited in attacks fixed this year
CVE-2023-42824 is the 17th zero-day vulnerability exploited in attacks that Apple has fixed since the start of the year.
Apple also recently patched three other zero-day bugs (CVE-2023-41991, CVE-2023-41992, and CVE-2023-41993) reported by Citizen Lab and Google TAG researchers and exploited in spyware attacks to install Cytrox’s Predator spyware.
Citizen Lab disclosed two other zero-days (CVE-2023-41061 and CVE-2023-41064)—fixed by Apple last month—abused as part of a zero-click exploit chain (dubbed BLASTPASS) to infect fully patched iPhones with NSO Group’s Pegasus spyware.
two zero-days (CVE-2023-37450 and CVE-2023-38606) in July
three zero-days (CVE-2023-32434, CVE-2023-32435, and CVE-2023-32439) in June
three more zero-days (CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373) in May
two zero-days (CVE-2023-28206 and CVE-2023-28205) in April
and another WebKit zero-day (CVE-2023-23529) in February
Today’s iOS 17.0.3 release also addresses a known issue causing iPhones running iOS 17.0.2 and lower to overheat.
“This update provides important bug fixes, security updates, and addresses an issue that may cause iPhone to run warmer than expected,” Apple said.