Security & Privacy

Apple patches Predator-exploited vulnerabilities for iOS, iPadOS, macOS, watchOS

Posted on by

On Thursday, September 21, Apple released security updates to address several major flaws. The patched zero-day vulnerabilities are evidently ones that Cytrox’s Predator spyware has actively exploited in the wild.

Predator is commercial “mercenary” spyware, similar to the NSO Group’s Pegasus spyware. There are conflicting reports about whether Cytrox or Intellexa is properly identified as the company behind Predator. Cytrox is reportedly part of the Intellexa Alliance; Intellexa is a consortium of companies competing against the more well-known NSO Group. All of these organizations are on the U.S. government’s Entity List of restricted companies.

In this article:

Which operating systems did Apple patch (and not patch)?

Apple patched at least three new vulnerabilities, as applicable, via the following operating system and Safari updates:

The links above go to Apple’s security release notes for each update.

Notably missing from that list are iOS 15 and iPadOS 15, and watchOS 8.

No patches for iOS 15 or iPadOS 15

Some have speculated that iOS and iPadOS 15 may continue to get security updates over the coming year. Apple has in the past sometimes provided patches for up to three iOS versions as a time; iOS 12 has only had one update per year in 2022 and 2023, patching only one vulnerability in each update. The lack of iOS 15 updates on Thursday may not be a strong indicator either way; it’s possible that Apple could release more patches sometime later. But at this point, anyone still using an iPhone 6s, 6s Plus, SE (1st generation), 7, or 7 Plus (or an equivalent era iPad) should strongly consider upgrading to a model that’s compatible with iOS 17 (or iPadOS 17) to protect their security and privacy.

No patches for watchOS 8

Meanwhile, Apple continues to neglect to patch watchOS 8, the last major watchOS version compatible with Apple Watch Series 3. Apple continued to sell its Series 3 watch until earlier this year, specifically March 2023. Since then, Apple has only released a single patch for a single vulnerability—leaving Apple Watch Series 3 highly susceptible to exploitation, including via vulnerabilities that have been actively exploited in the wild. Apple’s controversial decision to “quiet quit” patching a hardware product that it sold mere months ago has, unfortunately, gotten little attention from the press and consumer advocacy groups.

Possibly incomplete patches for macOS

While macOS Big Sur (the current “n -2” release) technically did get one patch for the WebKit vulnerability via the Safari update, this only addresses one of the three potentially applicable vulnerabilities that may affect that operating system.

Meanwhile, macOS Monterey (the current “n -1” release) appears to have gotten two of the three patches: the WebKit and kernel vulnerabilities.

But confusingly, macOS Ventura also got only two out of three patches—though different ones from macOS Monterey. The macOS Ventura release notes do not claim that Apple patched the WebKit vulnerability—even though Apple patched it for both of the previous macOS versions. Instead, Apple patched the kernel and “security” (signature validation bypass) issues, but perhaps not the WebKit issue.

See below for more details about the vulnerabilities that Apple patched on Thursday and has disclosed so far.

As-yet undisclosed patches for macOS Ventura 13.6, iOS 16.7 and iPadOS 16.7

The release notes for both macOS Ventura 13.6, and iOS 16.7 and iPadOS 16.7, both state, “Additional CVE entries coming soon.” So Apple apparently patched more vulnerabilities than the company has disclosed so far. These iOS and iPadOS 16 updates list all three vulnerabilities enumerated below, which match the iOS and iPadOS 17.0.1 updates from this cycle.

Most likely, the note about “additional CVE entries” refers to CVEs patched in the recent release of iOS and iPadOS 17.0 and the pending release of macOS Sonoma 14.0 (coming Tuesday, September 26) that have not yet been publicly disclosed.

What vulnerabilities did Apple patch?

So far, Apple has listed the following vulnerabilities as being included in various of those patches:

Security

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, iPad mini 5th generation and later, macOS Ventura, Apple Watch Series 4 and later

Impact: A malicious app may be able to bypass signature validation. Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.7.

Description: A certificate validation issue was addressed.

CVE-2023-41991: Bill Marczak of The Citizen Lab at The University of Toronto’s Munk School and Maddie Stone of Google’s Threat Analysis Group

 

Kernel

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, iPad mini 5th generation and later, macOS Monterey, macOS Ventura, Apple Watch Series 4 and later

Impact: A local attacker may be able to elevate their privileges. Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.7.

Description: The issue was addressed with improved checks.

CVE-2023-41992: Bill Marczak of The Citizen Lab at The University of Toronto’s Munk School and Maddie Stone of Google’s Threat Analysis Group

 

WebKit

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, iPad mini 5th generation and later, macOS Big Sur and Monterey

Impact: Processing web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.7.

Description: The issue was addressed with improved checks.

WebKit Bugzilla: 261544
CVE-2023-41993: Bill Marczak of The Citizen Lab at The University of Toronto’s Munk School and Maddie Stone of Google’s Threat Analysis Group

All three of these vulnerabilities were used as part of an exploit chain to install Predator spyware on iPhones, according to Google’s Threat Analysis Group (TAG). The Citizen Lab reports that one known target was a presidential candidate in Egypt.

Apple notes that “Additional CVE entries [are] coming soon” to the release notes for macOS Ventura 13.6 and for iOS 16.7 and iPadOS 16.7.

How to install Apple security updates

To update a Mac running macOS Ventura, go to System Settings > General > Software Update.

If you have any trouble getting the macOS update to show up, either press ⌘R at the Software Update screen, or type in the Terminal softwareupdate -l (that’s a lowercase L) and press Return/Enter.

Macs running macOS Big Sur or Monterey can get these updates (or upgrade to macOS Ventura) via System Preferences > Software Update. If your Mac is running macOS High Sierra or older and is compatible with macOS Ventura, look for macOS Ventura in the Mac App Store and download it from there.

Note that only the latest macOS version is ever fully patched; older macOS versions only get a subsection of those patches and remain vulnerable. Therefore, staying on the latest macOS version is critically important for maintaining your security and privacy. For more information, see our article, “When does an old Mac become unsafe to use?

Users of iPhone or iPad can go to Settings > General > Software Update to update iOS or iPadOS on their devices.

To update watchOS on your Apple Watch, the process is a bit more complicated. First, update your iPhone to the latest operating system it can support (ideally the latest version of iOS 17). Next, ensure that both your iPhone and Watch are on the same Wi-Fi network. Your Apple Watch also needs to have at least a 50% charge. Then open the Watch app on your phone and tap General > Software Update.

Whenever you’re preparing to update iOS, iPadOS, or macOS, always back up your data before installing any updates. This gives you a restore point if something does not go as planned. See our related article on how to check your macOS backups to ensure they work correctly.

How to Verify Your Backups are Working Properly

See also our article on how to back up your iPhone or iPad to iCloud and to your Mac.

Should you back up your iPhone to iCloud or your Mac? Here’s how to do both

How can I learn more?

Each week on the Intego Mac Podcast, Intego’s Mac security experts discuss the latest Apple news, security and privacy stories, and offer practical advice on getting the most out of your Apple devices. Be sure to follow the podcast to make sure you don’t miss any episodes.

You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: Follow Intego on Twitter Follow Intego on Facebook Follow Intego on YouTube Follow Intego on Pinterest Follow Intego on LinkedIn Follow Intego on Instagram Follow the Intego Mac Podcast on Apple Podcasts

Image credits: iPhone: Rafael Fernandez (CC BY-SA 4.0) • background: N. Raymond (CC BY 2.0) • Predator • composition: Joshua Long, Intego (CC BY-SA 4.0).

About Joshua Long

Joshua Long (@theJoshMeister), Intego's Chief Security Analyst, is a renowned security researcher and writer, and an award-winning public speaker. Josh has a master's degree in IT concentrating in Internet Security and has taken doctorate-level coursework in Information Security. Apple has publicly acknowledged Josh for discovering an Apple ID authentication vulnerability. Josh has conducted cybersecurity research for more than 25 years, which is often featured by major news outlets worldwide. Look for more of Josh's articles at security.thejoshmeister.com and follow him on X/Twitter, LinkedIn, and Mastodon. View all posts by Joshua Long →