Apple released several new security updates Monday for vulnerabilities affecting its iOS, iPadOS, macOS, tvOS and watchOS, including one CVE that “may have been actively exploited” in devices running all of those operating systems.
Security researchers with Kaspersky are credited with reporting CVE-2023-38606, the kernel vulnerability that may have been exploited in all of those devices. Apple described the bug as “an app that may be able to modify sensitive kernel state.”
The fixes for CVE-2023-38606 is available for iOS 16.6 and iPadOS 16.6 for iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later; iPad 5th generation and later; iPad mini 5th generation and later. The kernel bug is also found in iOS and iPadOS 17.7.8 for iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation); as well as macOS Ventura 13.5, macOS Monterey 12.6.8, macOS Big Sur 11.7.9, tvOS 16.6 (Apple TV 4K, all models; and Apple TV HD) and watchOS 9.6 (Apple Watch Series 4 and later).
Another vulnerability found in the WebKit affects several of the same operating systems, but not all of them. CVE-2023-37450 was found by an anonymous researcher and is described as “processing web content may lead to arbitrary code execution.” Updates are for iOS and iPadOS 16.6, as well as macOS Ventura 13.5, tvOS 16.6 and watchOS 9.6.
The latest security updates — the second released in July — are part of Apple’s Rapid Security Response, billed as delivering important security improvements between software updates and to address issues that might have been exploited or reported to exist in the wild.
Similar to a Rapid Security Response in June, Kaspersky researchers were credited with reporting vulnerabilities that needed to be patched quickly. In June, Kaspersky’s SecureList blog described a campaign it called “Operation Triangulation” or “TriangleDB,” saying it was a “Triangulation spyware implant” that was discovered by its researchers.