CVE-2023-41990

What is Apple's Font Parsing Subsystem?

Apple's operating systems include a system-level font rendering engine (FontParser / CoreText framework) that processes TrueType, OpenType, and other font formats for display in the UI, documents, and web content. Font processing occurs at a privileged system level and is triggered automatically when applications render text — including text received in messages or documents. Vulnerabilities in font parsing are particularly dangerous because they can be triggered without explicit user action (e.g., by rendering a received message) and because font parsers are complex, handling intricate file format specifications that have historically contained exploitable bugs.

Overview

CVE-2023-41990 is a code execution vulnerability triggered when processing a maliciously crafted font file, affecting iOS, iPadOS, macOS (multiple versions), tvOS, and watchOS. It is one of four zero-day vulnerabilities that make up the Operation Triangulation exploit chain — one of the most technically sophisticated iOS attack chains ever analyzed publicly. The chain included exploitation of an undocumented hardware instruction in Apple Silicon and A-series chips, discovered by Kaspersky researchers. Apple patched this vulnerability in January 2023 releases, but it was not added to the CISA KEV catalog until January 2024, when the full scope of exploitation was publicly understood.

Affected Versions

Technical Details

CVE-2023-41990 involves the parsing of TrueType font files, specifically exploitation of the ADJUST instruction in the TrueType bytecode interpreter. The Kaspersky researchers who reverse-engineered the Operation Triangulation chain found that this exploit leveraged an undocumented hardware feature in Apple's A-series and M-series processors — a memory-mapped register (accessible via specific MMIO addresses) that was used by GPU firmware for hardware operations but was undocumented in public Apple developer documentation.

The Operation Triangulation four-CVE chain worked as follows:

1. Delivery: Zero-click iMessage attachment (a malicious .icm color profile or similar attachment) is received, triggering font processing without user interaction.
2. CVE-2023-41990: The font parser vulnerability provides initial code execution.
3. Additional kernel and sandbox escape vulnerabilities complete the privilege escalation.
4. The final payload is a full-featured spyware implant (the Triangulation spy platform) with microphone recording, location tracking, and data exfiltration capabilities.

The use of an undocumented hardware feature — not found in any Apple firmware documentation — suggests either that the attacker had access to Apple's internal chip design documentation or performed deep hardware reverse engineering.

Discovery

Kaspersky researchers Boris Larin, Leonid Bezvershenko, Georgy Kucherin, and Valentin Pashkov discovered and fully reverse-engineered Operation Triangulation, presenting their findings at the 37th Chaos Communication Congress (37C3) in December 2023. The campaign was initially discovered in June 2023 after Kaspersky staff detected network traffic anomalies from iOS devices.

Exploitation Context

Operation Triangulation targeted Kaspersky employees and, according to Russia's FSB, Russian government officials and embassies. The campaign ran from approximately 2019 through 2023 using a progression of zero-click exploit chains. The threat actor behind Operation Triangulation has not been definitively publicly attributed.

The sophistication of the chain — zero-click delivery, use of undocumented hardware, four chained zero-days, and a feature-rich spyware implant — places it among the most advanced iOS attack operations ever documented, comparable to NSO Group's Pegasus chains.

Remediation

1. Update all Apple devices to the January 2023 update levels or later — iOS 15.7.2 / 16.2, macOS Ventura 13.2 / Monterey 12.6.3, tvOS 16.2, watchOS 9.2 contain the fix.
2. Keep Apple devices fully updated at all times — zero-click exploit chains are repaired once discovered, but unpatched devices remain perpetually vulnerable.
3. Enable Lockdown Mode on iOS for individuals at elevated risk of sophisticated targeted attacks — it restricts iMessage functionality and other attack vectors.
4. For organizations: use MDM to enforce OS version compliance and flag devices running outdated software.
5. Review network traffic from iOS devices for anomalous outbound connections — Kaspersky initially detected Operation Triangulation through network monitoring. Consider deploying mobile threat defense (MTD) solutions.
6. If compromise is suspected: a full device wipe and restore is required — Triangulation's implant had persistence mechanisms; factory reset and restore from a clean pre-compromise backup.