Apple has rolled out a major security-themed iOS update to fix remote code execution vulnerabilities that have already been exploited in the wild.
The patches address a pair of vulnerabilities reported by Russian anti-malware vendor Kaspersky and follow the public documentation of ‘Operation Triangulation,’ a digital spy campaign that used zero-click iMessage exploits.
Apple described the exploited bugs as memory corruption issues in the kernel (CVE-2023-32434 – allows an app to execute arbitrary code with kernel privileges); and WebKit (CVE-2023-32435 – code execution via web content).
The company fixed the same issue in the newest version (iOS 16.5.1), but noted that the attacks have only been seen on devices running versions of iOS released before iOS 15.7. Patches for macOS and watchOS were also released.
Apple’s attribution of these vulnerabilities to Kaspersky comes just two weeks after the Russian cybersecurity firm said it discovered an APT actor launching zero-click iMessage exploits on iOS-powered devices in its corporate network.
Kaspersky’s disclosure came on the same day Russia’s Federal Security Service (FSB) blamed US intelligence agencies for an ongoing spy campaign targeting thousands of iOS devices belonging to domestic subscribers and foreign diplomatic missions.
The FSB, the Russian security agency that succeeded the Soviet KGB, said iPhones belonging to diplomats from NATO countries, China, Israel and Syria were infected as part of an alleged “reconnaissance operation by American intelligence services.”