![\"\"](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2023\/09\/Predator-Spyware-on-iPhone-iOS-Intellexa-RFernandezPhone-NRaymondPeg-600x300-1.jpg\")
<\/p>\n<\/p>\n
On Thursday, September 21, Apple released security updates to address several major flaws. The patched zero-day vulnerabilities are evidently ones that Cytrox’s Predator spyware has actively exploited in the wild.<\/p>\n
Predator is commercial “mercenary” spyware, similar to the NSO Group’s Pegasus spyware. There are conflicting reports about whether Cytrox or Intellexa is properly identified as the company behind Predator. Cytrox is reportedly part of the Intellexa Alliance; Intellexa is a consortium of companies competing against the more well-known NSO Group. All of these organizations are on the U.S. government’s Entity List of restricted companies.<\/p>\n
In this article:<\/em><\/p>\n Apple patched at least three new vulnerabilities, as applicable, via the following operating system and Safari updates:<\/p>\n The links above go to Apple’s security release notes for each update. Some have speculated that iOS and iPadOS 15 may continue to get security updates over the coming year. Apple has in the past sometimes provided patches for up to three iOS versions as a time; iOS 12 has only had one update per year in 2022 and 2023, patching only one vulnerability in each update. The lack of iOS 15 updates on Thursday may not be a strong indicator either way; it’s possible that Apple could release more patches sometime later. But at this point, anyone still using an iPhone 6s, 6s Plus, SE (1st generation), 7, or 7 Plus (or an equivalent era iPad) should strongly consider upgrading <\/a>to a model that’s compatible with iOS 17 (or iPadOS 17) to protect their security and privacy.<\/p>\n Meanwhile, Apple continues to neglect to patch watchOS 8, the last major watchOS version compatible with Apple Watch Series 3. Apple continued to sell its Series 3 watch until earlier this year<\/a>, specifically March 2023. Since then, Apple has only released a single patch for a single vulnerability<\/a>\u2014leaving Apple Watch Series 3 highly susceptible to exploitation, including via vulnerabilities that have been actively exploited in the wild. Apple’s controversial decision to “quiet quit” patching a hardware product that it sold <\/a>mere months ago has, unfortunately, gotten little attention from the press and consumer advocacy groups.<\/p>\n While macOS Big Sur (the current “n -2” release) technically did get one patch for the WebKit vulnerability via the Safari update, this only addresses one of the three potentially applicable vulnerabilities that may affect that operating system.<\/p>\n Meanwhile, macOS Monterey (the current “n -1” release) appears to have gotten two of the three patches: the WebKit and kernel vulnerabilities.<\/p>\n But confusingly, macOS Ventura also got only two out of three patches\u2014though different ones from macOS Monterey. The macOS Ventura release notes do not claim that Apple patched the WebKit vulnerability\u2014even though Apple patched it for both of the previous macOS versions. Instead, Apple patched the kernel and “security” (signature validation bypass) issues, but perhaps not the WebKit issue.<\/p>\n <\/a>See below for more details about the vulnerabilities that Apple patched on Thursday and has disclosed so far.<\/p>\n The release notes for both macOS Ventura 13.6, and iOS 16.7 and iPadOS 16.7, both state, “Additional CVE entries coming soon.” So Apple apparently patched more vulnerabilities than the company has disclosed so far. These iOS and iPadOS 16 updates list all three vulnerabilities enumerated below, which match the iOS and iPadOS 17.0.1 updates from this cycle.<\/p>\n Most likely, the note about “additional CVE entries” refers to CVEs patched in the recent release of iOS and iPadOS 17.0 and the pending release of macOS Sonoma 14.0 (coming Tuesday, September 26) that have not yet been publicly disclosed.<\/a><\/p>\n <\/a>So far, Apple has listed the following vulnerabilities as being included in various of those patches:<\/p>\n Security<\/strong><\/p>\n Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, iPad mini 5th generation and later, macOS Ventura, Apple Watch Series 4 and later<\/p>\n Impact: A malicious app may be able to bypass signature validation. Apple is aware of a report that this issue may have been actively exploited<\/span> against versions of iOS before iOS 16.7.<\/p>\n Description: A certificate validation issue was addressed.<\/p>\n <\/a>CVE-2023-41991: Bill Marczak of The Citizen Lab at The University of Toronto’s Munk School and Maddie Stone of Google’s Threat Analysis Group<\/p>\n <\/p>\n Kernel<\/strong><\/p>\n Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, iPad mini 5th generation and later, macOS Monterey, macOS Ventura, Apple Watch Series 4 and later<\/p>\n Impact: A local attacker may be able to elevate their privileges. Apple is aware of a report that this issue may have been actively exploited<\/span> against versions of iOS before iOS 16.7.<\/p>\n Description: The issue was addressed with improved checks.<\/p>\n <\/a>CVE-2023-41992: Bill Marczak of The Citizen Lab at The University of Toronto’s Munk School and Maddie Stone of Google’s Threat Analysis Group<\/p>\n <\/p>\n WebKit<\/strong><\/p>\n Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, iPad mini 5th generation and later, macOS Big Sur and Monterey<\/p>\n Impact: Processing web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited<\/span> against versions of iOS before iOS 16.7.<\/p>\n Description: The issue was addressed with improved checks.<\/p>\n WebKit Bugzilla: 261544<\/span> All three of these vulnerabilities were used as part of an exploit chain to install Predator spyware on iPhones, according to Google’s Threat Analysis Group<\/a> (TAG). The Citizen Lab reports<\/a> that one known target was a presidential candidate in Egypt.<\/p>\n Apple notes that “Additional CVE entries [are] coming soon” to the release notes for macOS Ventura 13.6 and for iOS 16.7 and iPadOS 16.7.<\/a><\/p>\n To update a Mac running macOS Ventura<\/strong>, go to System Settings > General > Software Update.<\/p>\n If you have any trouble getting the macOS update to show up, either press \u2318R at the Software Update screen, or type in the Terminal Macs running macOS Big Sur or Monterey can get these updates (or upgrade to macOS Ventura) via System Preferences > Software Update. If your Mac is running macOS High Sierra or older and is compatible with macOS Ventura, look for macOS Ventura in the Mac App Store and download it from there.<\/p>\n Note that only the latest macOS version is ever fully patched; older macOS versions only get a subsection of those patches and remain vulnerable. Therefore, staying on the latest macOS version is critically important for maintaining your security and privacy. For more information, see our article, “When does an old Mac become unsafe to use?<\/a>”<\/p>\n Users of iPhone or iPad<\/strong> can go to Settings > General > Software Update to update iOS or iPadOS on their devices.<\/p>\n To update watchOS on your Apple Watch<\/strong>, the process is a bit more complicated. First, update your iPhone to the latest operating system it can support (ideally the latest version of iOS 17). Next, ensure that both your iPhone and Watch are on the same Wi-Fi network. Your Apple Watch also needs to have at least a 50% charge. Then open the Watch app on your phone and tap General > Software Update.<\/p>\n Whenever you’re preparing to update iOS, iPadOS, or macOS, always back up your data<\/strong> before installing any updates. This gives you a restore point if something does not go as planned. See our related article on how to check your macOS backups to ensure they work correctly<\/a>.<\/p>\n How to Verify Your Backups are Working Properly<\/a><\/p><\/blockquote>\n\n
\n
\n
Which operating systems did Apple patch (and not patch)?<\/h3>\n
\n
\n<\/a>
\nNotably missing from that list are iOS 15 and iPadOS 15, and watchOS 8.<\/p>\nNo patches for iOS 15 or iPadOS 15<\/strong><\/h4>\n
No patches for watchOS 8<\/strong><\/h4>\n
Possibly incomplete patches for macOS<\/strong><\/h4>\n
As-yet undisclosed patches for <\/strong>macOS Ventura 13.6, <\/strong>iOS 16.7 and iPadOS 16.7<\/strong><\/h4>\n
What vulnerabilities did Apple patch?<\/h3>\n
\nCVE-2023-41993: Bill Marczak of The Citizen Lab at The University of Toronto’s Munk School and Maddie Stone of Google’s Threat Analysis Group<\/p><\/blockquote>\nHow to install Apple security updates<\/h3>\n
softwareupdate -l<\/code> (that\u2019s a lowercase L) and press Return\/Enter.<\/p>\n