Apple on Wednesday released a lots of updates for iOS, iPadOS, macOS, watchOS, and the Safari browser to address a series of weaknesses it says are actively exploited in the wild.
This includes a pair of zero-days that have been weaponized in a mobile surveillance campaign called Operation Triangulation that has been active since 2019. The exact threat actor behind the campaign is unknown.
- CVE-2023-32434 – An integer overflow vulnerability in the Kernel that could be exploited by a malicious application to execute arbitrary code with kernel privileges.
- CVE-2023-32435 – A memory corruption vulnerability in WebKit that could lead to arbitrary code execution when processing specially crafted web content.
The iPhone maker said it was aware that two issues “may have been actively exploited against iOS versions released prior to iOS 15.7,” crediting Kaspersky researchers Georgy Kucherin, Leonid Bezvershenko, and Boris Larin for reporting them.
The push comes as a Russian cybersecurity vendor dissects spyware implants used in a clickless attack campaign targeting iOS devices via iMessages that carry attachments embedded with exploits for remote code execution (RCE) vulnerabilities.
The exploit code is also engineered to download additional components to gain root privileges on the target device, after which a backdoor is installed in memory and the initial iMessage is wiped to hide traces of infection.
The advanced implant, called TriangleDB, operates only in memory, leaving no traces of activity after a device reboot. It also comes with a variety of data collection and tracking capabilities.
This includes “interacting with the device’s file system (including file creation, modification, exfiltration, and deletion), managing processes (registration and termination), extracting keychain items to collect victim credentials, and monitoring victim geolocations, among other things.”
Also patched by Apple is a third zero-day CVE-2023-32439which have been reported anonymously and may result in arbitrary code execution when processing malicious web content.
An actively exploited flaw, described as a type confusion issue, has been addressed with improved checking. The update is available for the following platforms –
- iOS 16.5.1 and iPadOS 16.5.1 – iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later
- iOS 15.7.7 and iPadOS 15.7.7 – iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)
- macOS Ventura 13.4.1, macOS Monterey 12.6.7And macOS Big Sur 11.7.8
- watchOS 9.5.2 – Apple Watch Series 4 and later
- watchOS 8.8.1 – Apple Watch Series 3, Series 4, Series 5, Series 6, Series 7, and SE, and
- Safari 16.5.1 – Mac running macOS Monterey
With the latest round of repairs, Apple has resolved a total of nine zero-day defects in its products since the start of the year.
In February, the company installed a WebKit flaw (CVE-2023-23529) that could lead to remote code execution. In April, it released updates for two bugs (CVE-2023-28205 and CVE-2023-28206) that allowed code execution with higher privileges.
Subsequently, in May, it shipped patches for three more vulnerabilities in WebKit (CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373) that could allow threat actors to escape sandbox protection, access sensitive data, and executing arbitrary code.