Apple on Wednesday released a number of updates for its iOS, iPadOS, macOS, watchOS and Safari browsers to address a series of flaws that are reportedly being actively exploited in the wild.
This includes two zero-days weaponized in a mobile surveillance campaign called Operation Triangulation, which has been active since 2019. The exact actor behind this campaign is unknown.
- CVE-2023-32434 – There is an integer overflow vulnerability in the kernel that can be exploited by malicious apps to execute arbitrary code with kernel privileges.
- CVE-2023-32435 – A memory corruption vulnerability in WebKit may lead to arbitrary code execution when processing specially crafted web content.
The iPhone maker said it was aware that the two issues “may have been actively exploited against versions of iOS released prior to iOS 15.7,” Kaspersky researcher Georgy Kucherin said. , Leonid Bezvershenko and Boris Larin.
The advisory was used by a Russian cybersecurity vendor in a zero-click attack campaign targeting iOS devices via iMessage sending an attachment containing an exploit that exploits a remote code execution (RCE) vulnerability. Announced following analysis of a spyware implant.
The exploit code is designed to download additional components and gain root privileges on the target device, after which the backdoor is deployed in memory and the initial iMessage is deleted to hide any traces of infection. .
An advanced implant called TriangleDB runs only in memory and leaves no trace of activity after a device reboot. It also has various data collection and tracking features.
This includes “interacting with the device’s file system (including creating, modifying, extracting, and deleting files), managing processes (listing and terminating), and extracting keychain items to gather victim credentials. , including monitoring the geolocation of the victim.”
Also, a third zero-day CVE-2023-32439 patched by Apple was anonymously reported and could lead to arbitrary code execution when serving malicious web content.
This flaw, described as a type confusion problem and actively exploited, has been addressed with improved checks. Updates are available for the following platforms:
- iOS 16.5.1 and iPadOS 16.5.1 – iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, iPad mini 5th generation and later
- iOS 15.7.7 and iPadOS 15.7.7 – iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch ( 7th generation)
- macOS Ventura 13.4.1, macOS Monterey 12.6.7, and macOS Big South 11.7.8
- watchOS 9.5.2 – Apple Watch Series 4 and later
- watchOS 8.8.1 – Apple Watch Series 3, Series 4, Series 5, Series 6, Series 7, SE, and
- Safari 16.5.1 – Macs running macOS Monterey
With the latest round of fixes, Apple has resolved a total of nine zero-day defects in its products since the beginning of the year.
In February, the company resolved a WebKit flaw (CVE-2023-23529) that could allow remote code execution. In April, he released updates for two of his bugs (CVE-2023-28205 and CVE-2023-28206) that allowed code execution with elevated privileges.
Then, in May, we shipped patches for three more WebKit vulnerabilities (CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373). These vulnerabilities allow threat actors to bypass sandbox protections, access sensitive data, and execute arbitrary code.
