Apple Releases Security Patches for Actively Exploited Flaws in iOS, macOS, and Safari

 

Apple has taken prompt action to address a set of vulnerabilities that were actively exploited in the wild. The updates released by Apple cover iOS, iPadOS, macOS, watchOS, and the Safari browser. Among the vulnerabilities are a pair of zero-days associated with a mobile surveillance campaign known as Operation Triangulation, which has been active since 2019. Apple acknowledges that these issues have been exploited and urges users to update their devices immediately.

Details of the Exploited Flaws: The identified vulnerabilities include:

CVE-2023-32434: An integer overflow vulnerability in the Kernel that could allow a malicious app to execute arbitrary code with kernel privileges.

CVE-2023-32435: A memory corruption vulnerability in WebKit that could lead to arbitrary code execution when processing specially crafted web content.

Apple acknowledges that these vulnerabilities may have been exploited in versions of iOS released prior to iOS 15.7. The discovery of these flaws is credited to Kaspersky researchers Georgy Kucherin, Leonid Bezvershenko, and Boris Larin.

Description of Operation Triangulation: Kaspersky has analyzed the spyware implant used in a zero-click attack campaign targeting iOS devices. The attack involves exploiting a remote code execution vulnerability through iMessages. The implant, named TriangleDB, operates in memory, leaving no traces after a device reboot. It carries out various data collection and tracking activities, including interacting with the device's file system, managing processes, extracting keychain items for gathering credentials, and monitoring geolocation.

Additional Zero-Day and Patch: Apple has also addressed another zero-day vulnerability, CVE-2023-32439, which was reported anonymously. This flaw could result in arbitrary code execution when processing malicious web content. The update includes improved checks to mitigate this type confusion issue.

Devices and Platforms Affected: The updates are available for the following platforms:

iOS 16.5.1 and iPadOS 16.5.1: iPhone 8 and later, various iPad models

iOS 15.7.7 and iPadOS 15.7.7: iPhone 6s, iPhone 7, iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), iPod touch (7th generation)

macOS Ventura 13.4.1, macOS Monterey 12.6.7, and macOS Big Sur 11.7.8

watchOS 9.5.2: Apple Watch Series 4 and later

watchOS 8.8.1: Apple Watch Series 3, 4, 5, 6, 7, and SE

Safari 16.5.1: Macs running macOS Monterey

Apple's Ongoing Security Efforts: With these latest fixes, Apple has addressed a total of nine zero-day vulnerabilities in its products since the beginning of the year. The company has demonstrated its commitment to swiftly patching identified security flaws, strengthening its overall security posture.

Conclusion: Apple's release of updates to address actively exploited vulnerabilities underscores the importance of promptly updating devices to protect against potential attacks. Users are urged to install the provided patches and stay vigilant regarding future security updates. Apple's ongoing efforts to address vulnerabilities contribute to a safer digital ecosystem for its users.