Apple has released a series of updates to its operating system and Safari browser. These patches are intended to address a set of actively exploited vulnerabilities, including two zero-days.
Zero-day was reportedly weaponized as part of a mobile surveillance campaign called Operation Triangulation, which has been in place since 2019.
Read more about Operation Triangulation: Kaspersky announces being targeted with zero-click exploit
The first zero-day, identified as CVE-2023-32434, is a kernel integer overflow vulnerability. Successful exploitation could allow a malicious app to execute arbitrary code with kernel privileges.
The second zero-day tracked by CVE-2023-32435 is a memory corruption vulnerability in WebKit. Exploitation of this flaw could lead to arbitrary code execution when processing specially crafted web content.
“Apple has an excellent track record of quickly addressing critical vulnerabilities in its software so that users can remain protected,” said Ray Kelly, Fellow of the Synopsys Software Integrity Group. I commented.
“This is very important because Apple users have no way to protect themselves from malicious websites that can be exploited in the wild, like this particular WebKit vulnerability.”
In its latest security bulletin, Apple acknowledged that these two vulnerabilities may have been actively exploited in iOS versions released prior to iOS 15.7. The company acknowledges that researchers Kaspersky, Georgy Kucherin, Leonid Bezvershenko, and Boris Larin reported the vulnerability.
In addition, Apple has also confirmed that it has patched another zero-day CVE-2023-32439 that allows arbitrary code execution when serving malicious web content. This kind of confusion issue was addressed with improved checks.
This update is available for various platforms including iOS, iPadOS, macOS, watchOS and Safari. Users are strongly advised to install the update to protect their device from potential exploits.
“Security-focused updates like these highlight the importance of enabling automatic iOS updates to ensure you have the latest software to keep your device safe,” Kelly added. rice field.
“However, some users choose to disable these automatic updates, so malicious actors always have a large number of vulnerable targets.”
These latest fixes bring the total number of zero-day vulnerabilities addressed by Apple since the beginning of the year to nine. These came weeks after Kaspersky released an automated tool designed to help iOS users discover malware used in the triangulation campaign.
Editorial image credit: nikkimeel / Shutterstock.com
