This Wednesday, Apple took swift measures to tackle three zero-day vulnerabilities that were being exploited by cybercriminals using Triangulation spyware installed via iMessage zero-click exploits on iPhones. The tech giant rolled out a series of security patches for a wide array of devices, encompassing iPhones, iPads, Macs, and Apple Watches. Since these flaws have already been used in active attacks, Apple is strongly urging users to install the patches as soon as possible.
Newfound Security Risks: Kernel and WebKit Vulnerabilities
The discovered security weaknesses are designated as CVE-2023-32434 and CVE-2023-32435, affecting versions of iOS previous to iOS 15.7. Apple has confirmed that “it is aware of a report indicating this issue may have been actively exploited.” Georgy Kucherin, Leonid Bezvershenko, and Boris Larin—security researchers from Kaspersky—are responsible for finding and reporting these vulnerabilities.
Unraveling Operation Triangulation
In their report, Kaspersky divulged more information about the devastating cyberattack initiative they’ve dubbed “Operation Triangulation.” Once root privileges on the targeted iOS device are obtained through exploitation of the kernel vulnerability, TriangleDB—a spyware component—is deployed. TriangleDB’s noteworthy characteristics include memory-based deployment—meaning that all signs of the implant vanish after the device restarts—and self-uninstalled after 30 days if no reboot occurs (unless extended by the attackers). If re-infection is required due to a device reboot, attackers must send an iMessage with a malicious attachment.
Tracing Back Attacks: Origins and Extent
Kaspersky’s research reveals that these cyberattacks can be traced back to 2019 and, unfortunately, are still ongoing. Some iPhones within Kaspersky’s network were reportedly compromised by the spyware through iMessage zero-click exploits—highly sophisticated cyberattacks that use iOS zero-day bugs. Russia’s FSB intelligence and security agency asserts that thousands of their government officials’ iPhones, in addition to embassy staff devices from Israel, China, and NATO member countries, have been infected with the malicious software. The FSB claims that Apple lent a helping hand to the NSA by providing backdoor access for these operations. In response to these allegations, an Apple spokesperson firmly denied any involvement or cooperation with governmental entities—they stated: “We have never worked with any government to insert a backdoor into any Apple product and never will.”
How Apple Addressed Concerns
Apart from tackling Kernel and WebKit vulnerabilities, as mentioned before, Apple also attended to a third WebKit zero-day vulnerability (CVE-2023-32439) highlighted by an anonymous researcher. Exploiting a type of confusion issue allows malevolent actors to execute arbitrary code on unpatched devices using this vulnerability. To secure its wide range of devices against these threats, Apple released security patches aiming primarily at improving checks, input validation processes, and state management.
Which Devices Are Impacted?
The roster of affected devices is exhaustive—covering both old and new models alike. These encompass iPhone 8 series onwards; iPad Pro (all models); iPad Air 3rd generation upwards; iPad starting from 5th generation onwards; iPad mini beginning with the 5th generation; iPhone 6s/7 series in all variations; iPhone SE (1st generation); iPad Air 2; iPad mini (4th generation); iPod touch (7th generation), Mac systems running macOS Big Sur, Monterey, and Ventura; as well as Apple Watches from Series 4 to SE, including Series 3, Series 4, Series 5, Series 6, and Series 7. This year alone has seen Apple patch nine critically exploited zero-day vulnerabilities across iPhones, iPads, and Macs—considering that these security threats were enacted in the wild showcases their severe potential impact.
Recapping Previous Updates and Fixes
Last month saw Apple tackle another trio of zero-day vulnerabilities (CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373)—these issues were initially brought forward by Google Threat Analysis Group along with Amnesty International Security Lab researchers. It’s likely that they had been used for installing commercial-grade spyware. Around April this year, Apple dealt with two more zero-days (CVE-2023-28206 and CVE-2023-28205) which were parts of exploit chains involving Android devices alongside iOS and Chrome zero-day/n-day flaws—this allowed a mercenary-style spyware to be installed on various high-risk target devices all around the globe. Lastly, yet another WebKit zero-day vulnerability (CVE-2023-23529) resolution took place in February since it was being abused for code execution attacks on vulnerable iPhones as well as iPads and Macs.
Guidance on Installing Security Patches Properly
All released security patches will appear as standard software updates across devices. Here’s how to navigate the different device update processes:
- iPhone/iPad: access Settings > General > Software Update;
- Macs: head over to System Settings> General > Software Update or System Preferences > Software Update;
Legacy Device Support
In spite of discontinuing software support for certain devices—rendering them unable to receive new features—Apple remains committed to providing critical security updates. This unwavering dedication testifies to the conviction Apple holds towards maintaining an ecosystem that’s safe and secure for all users.
Wrapping It Up
While Apple is quick to act on vulnerabilities and promptly offer updates, it crucially lies with users to ensure that their devices have installed the latest patches. The lion’s share of responsibility when it comes to cybersecurity belongs to everyone—from individuals to larger entities—in order to protect both our personal space and the digital world at large. For more information on how you can shield your devices, feel free to check out Apple’s official support page. Remember, staying informed about updates is one of the best methods for staying safeguarded against threats.