Apple Patches Another Kernel Flaw Exploited in ‘Operation Triangulation’ Attacks

Apple on Monday pushed out major security-themed updates to its flagship iOS, macOS and iPadOS platforms, warning that at least one of the patched vulnerabilities has already been exploited in the wild.

The Cupertino device maker announced patches for critical code execution flaws in iOS and macOS, including a kernel bug that was used in an exploit chain documented by Russian anti-malware vendor Kaspersky.

According to Apple, the kernel flaw (CVE-2023-38606) affects both iOS, iPadOS and macOS-powered devices and was already actively exploited against versions of iOS released before iOS 15.7.1. 

“An app may be able to modify sensitive kernel state. Apple is aware of a report that this issue may have been actively exploited,” the company confirmed, crediting five different Kaspersky researchers with reporting the issue.

This is the second time Apple has pushed out fixes for software defects exploited as part of APT-style attacks on Kaspersky’s corporate network.  Kaspersky’s disclosure came on the same day Russia’s Federal Security Service (FSB) blamed US intelligence agencies for an ongoing spy campaign targeting thousands of iOS devices belonging to domestic subscribers and foreign diplomatic missions.

In all, Apple fixed at least 25 documented security bugs haunting iPhones and iPads, including multiple issues that expose mobile devices to code execution attacks.  The iOS 16.6 update also covers a WebKit bug that was first addressed in the recent Rapid Security Response rollout.

Apple also fixed security issues in its Safari browser (Safari 16.6), older versions of iPhones and iPads (iOS 15.7.8 and iPadOS 15.7.8), and macOS Ventura 13.5. 

Related: Russia Blames US Intelligence for iOS Zero-Click Attacks

Related: Apple Denies Helping US Government Hack Russian iPhones

Related: Apple Patches iOS Flaws Used in Kaspersky ‘Operation Triangulation’