Apple Patches Two Zero-Day Vulnerabilities Used to Attack iOS Users

Apple developers have released patches for two zero-day vulnerabilities that were used to attack iOS users. The bugs, which allowed attackers to exploit the iPhone using zero-click exploits for iMessage, were discovered by Kaspersky Lab specialists during the study of the Operation Triangulation malicious campaign.
Issues CVE-2023-32434 and CVE-2023-32435 were a threat to all versions of iOS released prior to iOS 15.7. The vulnerabilities are described as bugs in the core and in the WebKit engine.

Apple Fixes Another Zero-Day Vulnerability in WebKit

Along with these 0-days, Apple also fixed another zero-day vulnerability in WebKit (CVE-2023-32439), which was reported by an anonymous researcher. This issue allows attackers to execute arbitrary code using the type confusion problem.

Operation Triangulation

At the beginning of June 2023, the FSB and the FSO of Russia reported on “an intelligence action by American intelligence services carried out using Apple mobile devices.” Shortly thereafter, Kaspersky Lab published a detailed report on targeted attacks targeting devices running iOS. This campaign was called “Operation Triangulation” (Operation Triangulation) and, according to Kaspersky Lab, the purpose of the attacks was “invisibly injecting a spy module into the iPhone of company employees – both top management and middle managers.” According to experts, these attacks began in 2019. Shortly thereafter, the company published the free triangle_check utility, which allows you to find traces of infection in an Apple device backup. This week, almost simultaneously with the release of Apple patches, Kaspersky Lab presented an analysis of the TriangleDB malware, which was used as part of the Operation Triangulation campaign.

Apple Patches Affect a Variety of Devices

Apple fixed 0-day bugs in macOS Ventura 13.4.1, macOS Monterey 12.6.7, macOS Big Sur 11.7.8, iOS 16.5.1 and iPadOS 16.5.1, iOS 15.7.7 and iPadOS 15.7.7, watchOS 9.5. 2 and watchOS 8.8.1, improving the checks, input validation, and state management.
The list of devices for which the above vulnerabilities are dangerous is quite large, because these problems affect both old and new device models, including:
iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, iPad mini 5th generation and later;
iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation);
Macs running macOS Big Sur, Monterey, and Ventura;
Apple Watch Series 4 and later, Apple Watch Series 3, Series 4, Series 5, Series 6, Series 7, and SE.
When the “Operation Triangulation” was first discovered, the FSB representatives reported that “the information received by the Russian special services indicates the close cooperation of the American company” Apple “with the national intelligence community, in particular the US NSA, and confirms that the declared policy of ensuring the confidentiality of personal data of users of “Apple” devices is not true.”
Apple has now released patches for the zero-day vulnerabilities to protect iOS users from the malicious campaign. It is important for users to update their devices to the latest version of iOS to ensure their security.