Apple has released a series of updates for its operating systems and Safari browser. These patches aim to address a set of vulnerabilities that have been actively exploited, including two zero-days.
The zero-days were reportedly weaponized as part of a mobile surveillance campaign called Operation Triangulation, which has been operational since 2019.
Read more about Operation Triangulation: Kaspersky Says it is Being Targeted By Zero-Click Exploits
The first zero-day, identified as CVE-2023-32434, is an integer overflow vulnerability in the Kernel. If successfully exploited, a malicious app could execute arbitrary code with kernel privileges.
The second zero-day, tracked CVE-2023-32435, is a memory corruption vulnerability in WebKit. Exploiting this flaw could result in arbitrary code execution when processing specially crafted web content.
“Apple has a great track record when it comes to addressing critical vulnerabilities in its software quickly to help its users stay protected,” commented Ray Kelly, a Synopsys Software Integrity Group fellow.
“This is critically important since Apple users do not have a way to protect themselves from malicious websites that may be actively exploited in the wild, like this specific WebKit vulnerability.”
In its latest security bulletin, Apple acknowledged that these two vulnerabilities might have been actively exploited on iOS versions released before iOS 15.7. The company credited researchers from Kaspersky, Georgy Kucherin, Leonid Bezvershenko and Boris Larin for reporting the vulnerabilities.
Additionally, Apple also confirmed patching another zero-day, CVE-2023-32439, which allows arbitrary code execution when processing malicious web content. This type of confusion issue has been addressed with improved checks.
The updates are available for various platforms, including iOS, iPadOS, macOS, watchOS and Safari. Users are strongly advised to install the updates to protect their devices from potential exploitation.
“Security-focused updates like this really stress the importance of enabling automatic iOS updates to ensure you have the latest software that keeps your device safe,” Kelly added.
“However, since some users choose to disable these automatic updates, malicious actors will always have a vast amount of vulnerable targets.”
These latest fixes bring the total number of zero-day vulnerabilities addressed by Apple to nine since the beginning of the year. They come weeks after Kaspersky released an automated tool designed to help iOS users spot malware used in Operation Triangulation.
Editorial image credit: nikkimeel / Shutterstock.com