Apple fixes actively exploited zero-days in iOS, macOS and Safari

Apple fixes actively exploited zero-days in iOS, macOS, and Safari

Image:
Apple fixes actively exploited zero-days in iOS, macOS, and Safari

The bugs allowed the installation of Triangulation spyware on iPhones through iMessage zero-click exploits

Apple has released new updates for iOS, iPadOS, macOS, watchOS and Safari browser to resolve a series of security vulnerabilities that the company said were actively exploited in the wild.

As part of these updates, Apple has addressed three newly discovered zero-day bugs that allowed for the installation of Triangulation spyware on iPhones through iMessage zero-click exploits.

This week, Kaspersky released a report providing comprehensive details about an iOS spyware component used in a mobile surveillance campaign dubbed "Operation Triangulation."

Although the campaign has been active since 2019, the identity of the threat actor responsible for the campaign remains unknown.

"The implant, which we dubbed TriangleDB, is deployed after the attackers obtain root privileges on the target iOS device by exploiting a kernel vulnerability. It is deployed in memory, meaning that all traces of the implant are lost when the device gets rebooted," Kaspersky said in its report.

"Therefore, if the victim reboots their device, the attackers have to reinfect it by sending an iMessage with a malicious attachment, thus launching the whole exploitation chain again. In case no reboot occurs, the implant uninstalls itself after 30 days, unless this period is extended by the attackers."

Updates available

The latest updates released by Apple are now available for the following platforms:

Apple has addressed a major vulnerability, identified as CVE-2023-32434, pertaining to an integer overflow issue within the kernel.

Exploiting this vulnerability, a malicious application could potentially execute arbitrary code with kernel privileges.

The iOS and iPadOS 15.7.7 updates also resolve a WebKit bug, namely CVE-2023-32435. This particular vulnerability involves a memory corruption issue that enables remote code execution when a device encounters specially crafted web content.

Apple acknowledges that the two aforementioned issues "may have been actively exploited" on iOS versions prior to iOS 15.7.

The company credited Kaspersky researchers Georgy Kucherin, Leonid Bezvershenko and Boris Larin, for their discovery and reporting of these bugs.

WebKit zero-day

Apple has also patched a WebKit zero-day vulnerability, identified as CVE-2023-32439, and reported by an anonymous researcher. Attackers can potentially achieve arbitrary code execution on devices that have not yet been patched by exploiting a type confusion issue.

To address these zero-day vulnerabilities, Apple has implemented several enhancements such as improved checks, input validation, and state management.

With the recent set of fixes, Apple has resolved a total of nine zero-day flaws across their product line-up since the beginning of this year.

In February, Apple released a security update to address a WebKit zero-day vulnerability, CVE-2023-23529, which was used by hackers to achieve code execution on vulnerable iPhones, iPads and Macs.

In April, Apple addressed two zero-day bugs: CVE-2023-28206 and CVE-2023-28205. These vulnerabilities were actively exploited in the wild, targeting Android, iOS and Chrome platforms.

Last month, the US Cybersecurity and Infrastructure Security Agency (CISA) added three zero-day vulnerabilities (in WebKit) to its known exploited vulnerabilities (KEV) catalogue. These bugs (CVE-2023-32409, CVE-2023-28204 and CVE-2023-32373) affected iPhones, Macs and iPads and enabled threat actor to escape sandbox protection and execute arbitrary code on vulnerable devices.