Apple rolled out a wide array of updates targeting iOS, iPadOS, macOS, watchOS, and the Safari browser. These updates are in response to a number of vulnerabilities that were reportedly being exploited in real-time.
Among the vulnerabilities were two zero-days that have been leveraged in a mobile surveillance operation, cryptically named “Operation Triangulation.” The campaign has been ongoing since 2019, although the exact identity of the perpetrators remains shrouded in mystery.
- CVE-2023-32434 – An integer overflow vulnerability in the Kernel that could be exploited by a malicious app to execute arbitrary code with kernel privileges.
- CVE-2023-32435 – A memory corruption vulnerability in WebKit that could lead to arbitrary code execution when processing specially crafted web content.
Apple, aware of the active exploitation against versions of iOS released before iOS 15.7, gave a nod to Kaspersky researchers Georgy Kucherin, Leonid Bezvershenko, and Boris Larin for bringing these issues to their attention.
The announcement came as the Russian cybersecurity giant dissected a sophisticated spyware implant deployed in the zero-click attack campaign that specifically targeted iOS devices. iMessages bearing an infected attachment served as the delivery vehicle for the remote code execution (RCE) vulnerability.
The malicious code within the exploit was designed to initiate the download of additional components. These components can gain root access on the targeted device, enabling the implantation of a backdoor in the memory and the subsequent deletion of the original iMessage, thereby covering its tracks.
Named TriangleDB, this advanced implant operates exclusively in the device memory, evaporating without leaving any signs of its activity after a device reboot. Along with its stealthy operation, TriangleDB boasts a wide array of data collection and tracking capabilities. It can interact with the device’s file system, manage processes, extract keychain items to gather victims’ credentials, and even keep an eye on the victim’s geolocation.
Additionally, Apple patched a third zero-day, identified as CVE-2023-32439, reported anonymously, capable of executing arbitrary code when processing malevolent web content.
This potentially exploited flaw, a type confusion issue, has been countered with enhanced checks. The freshly baked updates are now available for several platforms, including:
- iOS 16.5.1 and iPadOS 16.5.1 (compatible with iPhone 8 and later, iPad Pro, iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later)
- iOS 15.7.7 and iPadOS 15.7.7 (compatible with iPhone 6s, iPhone 7, iPhone SE 1st generation, iPad Air 2, iPad mini 4th generation, and iPod touch 7th generation)
- macOS Ventura 13.4.1, macOS Monterey 12.6.7, and macOS Big Sur 11.7.8
- watchOS 9.5.2 (for Apple Watch Series 4 and later)
- watchOS 8.8.1 (for Apple Watch Series 3 to Series 7, and SE)
- Safari 16.5.1 (for Macs running macOS Monterey)
With these recent fixes, Apple has successfully addressed a total of nine zero-day flaws since the beginning of the year. They previously patched a WebKit flaw (CVE-2023-23529) in February that could lead to remote code execution. Then in April, they released updates for two bugs (CVE-2023-28205 and CVE-2023-28206) that could grant code execution with elevated privileges. In May, Apple shipped patches for three more vulnerabilities in WebKit (CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373) which could potentially allow a threat actor to circumvent sandbox protection, access sensitive data, and execute arbitrary code.
Check out our new Discord Cyber Awareness Server. Stay informed with CVE Alerts, Cybersecurity News & More!
Remember, CyberSecurity Starts With You!
- Globally, 30,000 websites are hacked daily.
- 64% of companies worldwide have experienced at least one form of a cyber attack.
- There were 20M breached records in March 2021.
- In 2020, ransomware cases grew by 150%.
- Email is responsible for around 94% of all malware.
- Every 39 seconds, there is a new attack somewhere on the web.
- An average of around 24,000 malicious mobile apps are blocked daily on the internet.