Apple has rolled out a major security-themed iOS update to fix remote code execution vulnerabilities that have already been exploited in the wild.
The patches address a pair of vulnerabilities reported by Russian anti-malware vendor Kaspersky and follow the public documentation of ‘Operation Triangulation,’ a digital spy campaign that used zero-click iMessage exploits.
The patches – iOS 16.5.1, iPadOS 16.5.1, iOS 15.7.7 and iPadOS15.7.7 – cover security defects in kernel and WebKit and have been exploited remotely via maliciously rigged web content.
Apple described the exploited bugs as memory corruption issues in the kernel (CVE-2023-32434 – allows an app to execute arbitrary code with kernel privileges); and WebKit (CVE-2023-32435 – code execution via web content).
The company fixed the same issue in the newest version (iOS 16.5.1), but noted that the attacks have only been seen on devices running versions of iOS released before iOS 15.7. Patches for macOS and watchOS were also released.
Apple’s attribution of these vulnerabilities to Kaspersky comes just two weeks after the Russian cybersecurity firm said it discovered an APT actor launching zero-click iMessage exploits on iOS-powered devices in its corporate network.
Kaspersky’s disclosure came on the same day Russia’s Federal Security Service (FSB) blamed US intelligence agencies for an ongoing spy campaign targeting thousands of iOS devices belonging to domestic subscribers and foreign diplomatic missions.
The FSB, the Russian security agency that succeeded the Soviet KGB, said iPhones belonging to diplomats from NATO countries, China, Israel and Syria were infected as part of an alleged “reconnaissance operation by American intelligence services.”
Kaspersky calls the campaign Operation Triangulation and has published additional technical documentation on the spyware used in the attacks.
Related: Kaspersky Dissects Spyware Used in iOS Zero-Click Attacks
Related: Russia Blames US Intelligence for iOS Zero-Click Attacks
Related: NSO Group Used at Least 3 iOS Zero-Click Exploits in 2022
Related: Apple Rolls Out Zero-Day Patches to Older iOS, macOS Devices
More from Ionut Arghire
- Generative AI Startup Nexusflow Raises $10.6 Million
- Researchers Extract Sounds From Still Images on Smartphone Cameras
- Hackers Set Sights on Apache NiFi Flaw That Exposes Many Organizations to Attacks
- Cloudflare Users Exposed to Attacks Launched From Within Cloudflare: Researchers
- FBI Warns Organizations of Dual Ransomware, Wiper Attacks
- Lumu Raises $30 Million for Threat Detection and Response Platform
- Cisco Warns of IOS Software Zero-Day Exploitation Attempts
- Russian Zero-Day Acquisition Firm Offers $20 Million for Android, iOS Exploits
Latest News
- Bankrupt IronNet Shuts Down Operations
- AWS Using MadPot Decoy System to Disrupt APTs, Botnets
- Generative AI Startup Nexusflow Raises $10.6 Million
- In Other News: RSA Encryption Attack, Meta AI Privacy, ShinyHunters Hacker Guilty Plea
- Researchers Extract Sounds From Still Images on Smartphone Cameras
- National Security Agency is Starting an Artificial Intelligence Security Center
- CISA Warns of Old JBoss RichFaces Vulnerability Being Exploited in Attacks
- Hackers Set Sights on Apache NiFi Flaw That Exposes Many Organizations to Attacks
