September 25, 2023

Apple has released security updates to patch three flaws that have been exploited by commercial spyware to infect iPhones and other devices.

The updates, which were released on September 22, 2023, should be installed as soon as possible to protect against these vulnerabilities.

The three flaws are CVE-2023-41991, a certificate validation issue that could allow a malicious app to bypass signature validation. CVE-2023-41992, a kernel-level privilege escalation hole that could be abused to gain full control of a device. And CVE-2023-41993, a web content processing flaw that could lead to arbitrary code execution.

macOS Monterey 12.7, macOS Ventura 13.6, watchOS 9.6.3, watchOS 10.0.1, iOS 16.7 and iPadOS 16.7, iOS 17.0.1 and iPadOS 17.0.1, and Safari 16.6.1 are the Apple devices and software are affected by the flaws.

Google’s Threat Analysis Group (TAG) and The Citizen Lab have discovered evidence that these flaws were exploited by Predator spyware, which is sold by the company Intellexa. Intellexa was added to the U.S. entity list in July 2023 as a national security threat.

TAG has urged users to update their devices to the latest security patches and to use secure HTTPS rather than insecure HTTP where possible to help prevent redirects to malicious websites.

The sources for this piece include an article in TheRegister.