Apple has rolled out a major security-themed iOS update to fix remote code execution vulnerabilities that have already been exploited in the wild.
The patches address a pair of vulnerabilities reported by Russian anti-malware vendor Kaspersky and follow the public documentation of ‘Operation Triangulation,’ a digital spy campaign that used zero-click iMessage exploits.
The patches – iOS 16.5.1, iPadOS 16.5.1, iOS 15.7.7 and iPadOS15.7.7 – cover security defects in kernel and WebKit and have been exploited remotely via maliciously rigged web content.
Apple described the exploited bugs as memory corruption issues in the kernel (CVE-2023-32434 – allows an app to execute arbitrary code with kernel privileges); and WebKit (CVE-2023-32435 – code execution via web content).
The company fixed the same issue in the newest version (iOS 16.5.1), but noted that the attacks have only been seen on devices running versions of iOS released before iOS 15.7. Patches for macOS and watchOS were also released.
Apple’s attribution of these vulnerabilities to Kaspersky comes just two weeks after the Russian cybersecurity firm said it discovered an APT actor launching zero-click iMessage exploits on iOS-powered devices in its corporate network.
Kaspersky’s disclosure came on the same day Russia’s Federal Security Service (FSB) blamed US intelligence agencies for an ongoing spy campaign targeting thousands of iOS devices belonging to domestic subscribers and foreign diplomatic missions.
The FSB, the Russian security agency that succeeded the Soviet KGB, said iPhones belonging to diplomats from NATO countries, China, Israel and Syria were infected as part of an alleged “reconnaissance operation by American intelligence services.”
Kaspersky calls the campaign Operation Triangulation and has published additional technical documentation on the spyware used in the attacks.
Related: Kaspersky Dissects Spyware Used in iOS Zero-Click Attacks
Related: Russia Blames US Intelligence for iOS Zero-Click Attacks
Related: NSO Group Used at Least 3 iOS Zero-Click Exploits in 2022
Related: Apple Rolls Out Zero-Day Patches to Older iOS, macOS Devices
