Apple on Thursday moved to patch three zero-day vulnerabilities actively exploited in the wild that security researchers believe are the work of commercial spyware vendors.
This now means Apple has fixed 16 zero-days this year, which security researchers said demonstrates that the popularity of Apple products has made it an attractive target.
In advisories, Apple credited Bill Marczak of The Citizen Lab at The University of Toronto's Munk School and Maddie Stone of Google's Threat Analysis Group for bringing the latest zero-days to their attention.
“A total of 16 zero-day vulnerabilities in a year is significant,” said Callie Guenther, senior manager, cyber threat research at Critical Start. “Zero-days, by definition, are previously unknown and unpatched vulnerabilities that can be exploited. This high number could suggest that Apple devices, given their popularity and extensive user base, are attractive targets for advanced threat actors.”
Guenther also noted the fact that many of these vulnerabilities were discovered by groups such as the Citizen Lab and Google's Threat Analysis Group, which often focus on state-sponsored and high-level cyber-espionage campaigns, suggests that Apple devices are being targeted in sophisticated attacks against high-profile individuals.
For example, following a report Sept. 7 by Citizen Lab that an actively exploited zero-click vulnerability was used to deliver NSO Group’s Pegasus mercenary spyware on an Apple device, Apple quickly moved to issue two CVEs to rectify the issue.
The Pegasus spyware developed and distributed by the NSO Group has been widely used by both the private and government sectors across the globe for surveillance purposes against journalists, human and civil rights activists, politicians and other individuals.
The zero-days patched yesterday by Apple include the following:
Ken Westin, Field CISO at Panther Labs, added that these new zero-day vulnerabilities appear to be tied to commercial spyware vendors exploiting zero-day vulnerabilities. Westin said there’s a disturbing rise in the use of zero-day vulnerabilities and corresponding exploits being utilized by commercial spyware vendors.
“The great work by Citizen Lab and Google in reporting these vulnerabilities to Apple indicates that these vulnerabilities have been exploited in the wild,” said Westin. “The work that’s being done to expose these vulnerabilities that are being exploited by commercial spyware vendors is also raising the cost of doing business for spyware vendors. When a particular vulnerability is used by commercial spyware vendors they now run the risk of their zero-day exploit being burned, so may only be able to leverage the exploit within a small window of time.”
Apple introduced critical security patches
Michael Covington, vice president of Portfolio Strategy at Jamf, said it’s helpful to remember that Apple updated its software release process just earlier this year. In the previous model, Covington said new features, bug fixes and patches were all introduced under a single release. This new model separates critical security patches from functional updates, which lets Apple stay more nimble with how they address vulnerabilities that are being actively exploited by attackers.
Covington said this new security patch process, delivered under the name of Rapid Security Response (RSR), lets Apple distribute much smaller pieces of code on a more regular basis, as the need arises.
“Given the attention Apple platforms are getting as they grow in popularity, it's not surprising that there are more vulnerabilities discovered and exploited,” said Covington. “Regardless, the new RSR model is a good thing for the industry, as it allows a vendor to rapidly correct bugs without worrying about including feature updates in the same codebase.”
