Apple has fixed an actively exploited vulnerability in its kernel, impacting certain versions of iOS and macOS.
The vulnerability (CVE-2023-38606) is part of a series of flaws discovered by Kaspersky researchers, as part of an investigation into a campaign that leveraged a zero-click exploit chain, called Operation Triangulation. Two other flaws, CVE-2023-32434 and CVE-2023-32435, that were discovered as part of Operation Triangulation have also been patched by Apple.
This most recent bug, which was also used in the zero-click exploit chain, could allow an app to modify sensitive kernel state, according to Apple, which addressed the issue with improved state management.
“Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7.1,” according to Apple. It’s worth noting that the flaw impacts older iOS versions; the most recent version released in July is iOS 16.6.
Operation Triangulation was disclosed by researchers in early June. While the attackers behind the campaign has not yet been identified, the campaign is sophisticated and involves no user interaction. The attack involves a target iOS device being sent an iMessage with an attachment containing an exploit.
The patch is available for certain versions of Apple Watch; Apple TV 4K; macOS Monterey; macOS Big Sur; macOS Ventura; all models of iPhone 6s and iPhone 7, iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation); iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later.
Apple has also backported patches for a previously disclosed WebKit flaw, which has been actively exploited. The Rapid Security Response update for the flaw (CVE-2023-37450) was previously available for iOS 16.5.1, macOS Ventura 13.4.1 and iPadOS 16.5.1; on Monday the company backported these patches for certain versions of watchOS and tvOS. Apple did not give further details on the flaw tied to CVE-2023-37450 other than to say that it was discovered by an anonymous researcher, that it could lead to arbitrary code execution and that the issue was addressed with improved checks.