Apple patched zero-click kernel vulnerabilities in its operating system software underpinning its iPhones, iPads, watches and macOS computers. Apple also released security updates for two WebKit vulnerabilities used in impacted devices.
Apple’s support page on Wednesday detailed the updates. One is a kernel vulnerability (CVE-2023-32434) that allows an app to execute arbitrary code with kernel privileges for devices running iOS 16.5.1 and iPadOS 16.5.1. Affected devices are iPhone 8 and later; all models of iPad Pro; iPad Air 3rd generation and later; iPad 5th generation and later; and iPad mini 5th generation and later.
Security updates were also released for macOS Ventura, Monterey and Big Sur to address the same vulnerability.
The iOS 15.7.7 and iPadOS 15.7.7 are also susceptible to the same vulnerability (CVE-2023-32434), and affects iPhone 6s (all models); iPhone 7 (all models); iPhone SE (1st generation); iPad Air 2; iPad mini (4th generation); and iPod touch (7th generation).
One of the WebKit vulnerabilities (CVE-2023-32439), Apple said, leads to arbitrary code execution if an affected device processes maliciously crafted web content. The security updates are for iPhone 8 and later; iPad Pro (all models); iPad Air 3rd generation and later; iPad 5th generation and later; and iPad mini 5th generation and later.
A second WebKit bug (CVE-2023-32435) is similarly described as leading to arbitrary code execution by running web content. Security updates, according to Apple, were released for Phone 6s (all models); iPhone 7 (all models); iPhone SE (1st generation); iPad Air 2; iPad mini (4th generation); and iPod touch (7th generation).
The Apple security update pages for the CVEs report the company, “is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7.”
Kaspersky details spyware targeting Apple devices
Kaspersky researchers are credited with reporting the kernel vulnerabilities to Apple, as well as the second webkit vulnerability.
On Wednesday, the cybersecurity firm released research on a vulnerability first disclosed earlier this month that it’s calling “TriangleDB,” which is described as a “Triangulation spyware implant” that was discovered targeting its researchers.
The researchers said on Kaspersky’s blog that it took six months to research the exploitation chain, adding: “The implant, which we dubbed TriangleDB, is deployed after the attackers obtain root privileges on the target iOS device by exploiting a kernel vulnerability. It is deployed in memory, meaning that all traces of the implant are lost when the device gets rebooted. Therefore, if the victim reboots their device, the attackers have to reinfect it by sending an iMessage with a malicious attachment, thus launching the whole exploitation chain again. In case no reboot occurs, the implant uninstalls itself after 30 days, unless this period is extended by the attackers.”