Apple Addresses Three Zero-Day Vulnerabilities
Kaspersky report highlights risks
Overt Operator
June 23, 2023
Photo by Nao Triponez
Apple has recently taken action to address three zero-day vulnerabilities that were exploited to install Triangulation spyware on iPhones using iMessage zero-click exploits. The vulnerabilities, known as CVE-2023-32434 and CVE-2023-32435, were discovered and reported by Kaspersky security researchers.
In a report published by Kaspersky, additional details were provided about the iOS spyware component used in a campaign referred to as "Operation Triangulation." The spyware, named TriangleDB, is deployed by attackers after gaining root privileges on the target iOS device through a kernel vulnerability. It is deployed in the device's memory, which means that all traces of the implant are lost upon rebooting the device.
Kaspersky explains that if a victim reboots their device, the attackers must reinfect it by sending an iMessage with a malicious attachment, restarting the entire exploitation process. However, if no reboot occurs, the implant will uninstall itself after 30 days, unless the attackers extend this period.
These attacks have been ongoing since 2019, and Kaspersky reported in early June that some iPhones on its network were infected with previously unknown spyware through iMessage zero-click exploits that took advantage of iOS zero-day vulnerabilities. The impact of the attack was felt by Kaspersky's Moscow office and its employees in other countries.
Following the publication of Kaspersky's report, Russia's FSB intelligence and security agency claimed that Apple had provided the NSA with a backdoor to help infect iPhones in Russia with spyware. The FSB alleged that thousands of infected iPhones belonging to Russian government officials and staff from embassies in Israel, China, and NATO member countries were discovered.
In response to these allegations, an Apple spokesperson told BleepingComputer that they have never collaborated with any government to insert a backdoor into Apple products and have no plans to do so in the future.
Apple has also patched a WebKit zero-day vulnerability (CVE-2023-32439) reported by an anonymous researcher. This vulnerability allowed attackers to gain arbitrary code execution on unpatched devices by exploiting a type of confusion issue.
To address these security concerns, Apple released updates for various operating systems, including macOS Ventura 13.4.1, macOS Monterey 12.6.7, macOS Big Sur 11.7.8, iOS 16.5.1, and iPadOS 16.5.1, iOS 15.7.7 and iPadOS 15.7.7, watchOS 9.5.2, and watchOS 8.8.1. The updates include improved checks, input validation, and state management.
The range of affected devices is extensive, including iPhone models from iPhone 8 and later, various iPad models, Macs running macOS Big Sur, Monterey, and Ventura, as well as Apple Watch Series 4 and later.
This marks the ninth zero-day vulnerability that Apple has patched since the beginning of the year. In the previous month, Apple addressed three additional zero-days (CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373), the first reported by Google Threat Analysis Group and Amnesty International Security Lab researchers and likely used for installing commercial spyware.
In April, Apple fixed two more zero-days (CVE-2023-28206 and CVE-2023-28205) that were part of exploit chains affecting Android, iOS, and Chrome. Vulnerabilities were exploited to deploy mercenary spyware on devices belonging to high-risk targets globally.
In February, Apple also addressed a WebKit zero-day (CVE-2023-23529) that was exploited to gain code execution on vulnerable iPhones, iPads, and Macs.
With these latest patches and ongoing efforts, Apple aims to strengthen the security of its devices and protect users from potential threats posed by zero-day vulnerabilities.