Apple on Wednesday released a slew of updates for iOS, iPadOS, macOS, watchOS, and Safari browser to address a set of flaws it said were actively exploited in the wild.
This includes a pair of zero-days that have been weaponized in a mobile surveillance campaign called Operation Triangulation that has been active since 2019. The exact threat actor behind the activity is not known.
- CVE-2023-32434 - An integer overflow vulnerability in the Kernel that could be exploited by a malicious app to execute arbitrary code with kernel privileges.
- CVE-2023-32435 - A memory corruption vulnerability in WebKit that could lead to arbitrary code execution when processing specially crafted web content.
The iPhone maker said it's aware that the two issues "may have been actively exploited against versions of iOS released before iOS 15.7," crediting Kaspersky researchers Georgy Kucherin, Leonid Bezvershenko, and Boris Larin for reporting them.
The advisory comes as the Russian cybersecurity vendor dissected the spyware implant used in the zero-click attack campaign targeting iOS devices via iMessages carrying an attachment embedded with an exploit for the kernel remote code execution (RCE) vulnerability.
The exploit code is also engineered to download additional components to obtain root privileges on the target device, after which the backdoor is deployed in memory and the initial iMessage is deleted to conceal the infection trail.
The sophisticated implant, called TriangleDB, operates solely in the memory, leaving no traces of the activity following a device reboot. It also comes with diverse data collection and tracking capabilities.
This includes "interacting with the device's file system (including file creation, modification, exfiltration, and removal), managing processes (listing and termination), extracting keychain items to gather victim credentials, and monitoring the victim's geolocation, among others."
In an attempt to complete the attack puzzle and gather its different moving parts, Kaspersky has released a utility called "triangle_check" that organizations can use to scan iOS device backups and hunt for any signs of compromise on their devices.
Also patched by Apple is a third zero-day CVE-2023-32439, which has been reported anonymously and could result in arbitrary code execution when processing malicious web content.
The actively exploited flaw, described as a type confusion issue in WebKit, has been addressed with improved checks. The updates are available for the following platforms -
- iOS 16.5.1 and iPadOS 16.5.1 - iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later
- iOS 15.7.7 and iPadOS 15.7.7 - iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)
- macOS Ventura 13.4.1, macOS Monterey 12.6.7, and macOS Big Sur 11.7.8
- watchOS 9.5.2 - Apple Watch Series 4 and later
- watchOS 8.8.1 - Apple Watch Series 3, Series 4, Series 5, Series 6, Series 7, and SE, and
- Safari 16.5.1 - Macs running macOS Monterey
With the latest round of fixes, Apple has resolved a total of nine zero-day flaws in its products since the start of the year.
In February, the company plugged a WebKit flaw (CVE-2023-23529) that could lead to remote code execution. In April, it released updates to resolve two bugs (CVE-2023-28205 and CVE-2023-28206) that allowed for code execution with elevated privileges.
Subsequently, in May, it shipped patches for three more vulnerabilities in WebKit (CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373) that could permit a threat actor to escape sandbox protection, access sensitive data, and execute arbitrary code.