Full Report
Last week Google’s Threat Analysis Group (TAG), in partnership with The Citizen Lab, discovered an in-the-wild 0-day exploit chain for iPhones. Developed by the commerci…
Analysis Summary
# Vulnerability: Intellexa Predator Spyware Zero-Day Exploit Chain on iOS
## CVE Details
- CVE ID: CVE-2023-41991, CVE-2023-41992, CVE-2023-41993
- CVSS Score: Not explicitly provided, but severity is critical given in-the-wild 0-day exploitation leading to spyware installation.
- CWE: Not explicitly provided for all, but related to RCE, Certificate Validation Issue, and LPE.
## Affected Systems
- Products: iOS devices (iPhone/iPad)
- Versions: Versions prior to iOS 16.7 and iOS 17.0.1
- Configurations: Exploits were delivered via a Man-in-the-Middle (MITM) attack targeting HTTP traffic redirection.
## Vulnerability Description
The vulnerability is an exploit chain developed by commercial surveillance vendor Intellexa used to silently install Predator spyware. The chain consists of three chained vulnerabilities:
1. **CVE-2023-41993:** Remote Code Execution (RCE) in Safari.
2. **CVE-2023-41991:** Certificate validation issue.
3. **CVE-2023-41992:** Local Privilege Escalation (LPE) in the XNU Kernel, allowing final implant installation.
The delivery mechanism involved an attacker intercepting unencrypted HTTP traffic (MITM attack) to redirect the target user to an exploit server (sec-flare\[.\]com). This process reportedly did not require user interaction (no document opening, link clicking, or call answering), though it utilized a network-level user action (visiting an HTTP site).
*Note: A separate vulnerability, CVE-2023-4762 (RCE in Chrome Renderer), was reportedly used for initial compromise on Android devices.*
## Exploitation
- Status: Exploited in the wild (0-day) by the commercial vendor Intellexa to install Predator spyware.
- Complexity: Low-to-Medium (Relies on a MITM network condition but the execution chain itself is automated once the user hits the exploit server).
- Attack Vector: Network (Requires MITM positioning to redirect HTTP traffic).
## Impact
- Confidentiality: High (Installation of surveillance spyware)
- Integrity: High (System compromise)
- Availability: Potential (Depends on the full implant capabilities, but system integrity is lost)
## Remediation
### Patches
- iOS 16.7
- iOS 17.0.1
### Workarounds
Users are strongly encouraged to update immediately. For network-level protection against MITM redirection:
1. **Use HTTPS:** Avoid initiating connections to websites over HTTP.
2. **Enable Chrome's "HTTPS-First Mode":** This mode attempts to load all pages over HTTPS, showing a warning before falling back to HTTP, reducing the risk of MITM injection during browsing. (This primarily helps Chrome users but highlights best practice).
## Detection
- Indicators of Compromise: Detection of the final Predator implant was not fully captured by TAG researchers.
- Detection methods and tools: Monitoring network traffic for suspicious redirects from known HTTP sites to exploit servers (e.g., sec-flare\[.\]com). Security tooling should monitor for IOCs related to the Predator spyware post-exploitation.
## References
- Apple Advisory: support link for iOS 16.7 (defanged: support \* apple \* com/en-us/HT213927)
- Apple Advisory: support link for iOS 17.0.1 (defanged: support \* apple \* com/en-us/HT213926)
- Citizen Lab Report: citizenlab \* ca/2023/09/predator-in-the-wires-ahmed-eltantawy-targeted-with-predator-spyware-after-announcing-presidential-ambitions
- Chrome CVE for Android component: (defanged: chromereleases \* googleblog \* com/2023/09/stable-channel-update-for-desktop\*html)
- Chrome HTTPS-First Mode explanation: (defanged: blog \* chromium \* org/2021/07/increasing-https-adoption\*html)
- Enable HTTPS-First Mode: (defanged: support \* google \* com/chrome/answer/10468685)