New security flaws within Apple’s software platforms have officially been patched out by the tech giant, as highlighted on its support page. The vulnerabilities, known as zero-day exploits, were first discovered by Kaspersky researchers.
The updates address CVE-2023-32434 (Kernel) and CVE-2023-32435 (WebKit), and are currently being pushed out across Apple’s ecosystem of devices. The vulnerabilities have been exploited in attacks that install so-called “Triangulation” spyware, according to Kaspersky.
“Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7,” the company said when addressing the vulnerabilities.
Kaspersky security researcher Boris Larin, who helped discover the vulnerability, has taken to Twitter with the recommendation to update all impacted Apple devices as soon as possible.
Today Apple released updates for CVE-2023-32434 (Kernel) and CVE-2023-32435 (WebKit) in-the-wild zero-days which were discovered by us (@kucher1n, @bzvr_ and yours truly) in the #iOSTriangulation attacks. Update your iOS/iPadOS/macOS/watchOS now! pic.twitter.com/w1HxJwq4GO
— Boris Larin (@oct0xor) June 21, 2023
In a new report published by Kaspersky, the security company goes into detail regarding the use of the vulnerabilities in what it has dubbed “Operation Triangulation.”
“The implant, which we dubbed TriangleDB, is deployed after the attackers obtain root privileges on the target iOS device by exploiting a kernel vulnerability. It is deployed in memory, meaning that all traces of the implant are lost when the device gets rebooted,” Kaspersky says.
Upon release of the Kaspersky report, Russia’s Federal Security Service (FSB) came forward with the claim that Apple provided the National Security Agency (NSA) with a backdoor to the exploit.
Specifically, the Russian government alleges that its American counterpart used the vulnerability to inject spyware into iPhones owned by Russian officials.