Apple releases patches for vulnerabilities in iOS, macOS and Safari

According to The Hacker News , the new update from Apple has patched two Zero-Day vulnerabilities that were used in the mobile surveillance campaign Operation Triangulation since 2019. It is unclear which organization is behind this campaign.

Apple said these two vulnerabilities (CVE-2023-32434 and CVE-2023-32435) may have been actively exploited on versions prior to iOS 15.7, noting that three Kaspersky researchers, Georgy Kucherin, Leonid Bezvershenko and Boris Larin, reported them.

Russian cybersecurity vendors have dissected spyware used in a zero-click attack campaign that targeted iOS devices via the iMessages app with attachments that exploited a remote code execution (RCE) vulnerability.

The exploit is designed to download additional components to gain root privileges on the device, then deploy a backdoor in memory and delete iMessages to remove traces of infection.

The implant, called TriangleDB, leaves no trace after rebooting the device. It is capable of collecting and tracking a wide range of data. TriangleDB can interact with the device's file system (create, modify, extract, and delete), manage processes, extract entries to collect login credentials, and monitor the victim's geolocation...

Kaspersky has also released a utility called “triangle_check,” which organizations can use to scan iOS device backups and look for signs of compromise on their devices.

Apple also patched a third Zero-Day, CVE-2023-32439, which was reported anonymously, exploiting which allows hackers to execute arbitrary code when a browser visits malicious web content.

Updates are available for iOS/iPadOS 16.5.1 platforms for iPhone 8 and later, iPad Pro, iPad Air 3, iPad Gen 5, and iPad mini Gen 5 and later. Older models such as iPhone SE, iPhone 6s, iPod Touch Gen 7, iPad Air 2... are also updated to iOS 15.7.7 and iPadOS 15.7.7.

On wearables, Apple released watchOS 9.5.2 for Series 4 and later, along with watchOS 8.1.1 for Apple Watch Series 3 to Watch SE. Safari was also updated to version 16.5.1 on macOS Monterey.

With the latest update, Apple has addressed a total of nine Zero-Day vulnerabilities in its products since the beginning of the year.