Apple addressed a new actively exploited zero-day tracked as CVE-2023-38606

Apple released security updates to address an actively exploited zero-day flaw in iOS, iPadOS, macOS, tvOS, watchOS, and Safari.

Apple released urgent security updates to address multiple flaws in iOS, iPadOS, macOS, tvOS, watchOS, and Safari, including an actively exploited zero-day.

The vulnerability, tracked as CVE-2023-38606, resides in the kernel and can be exploited to modify sensitive kernel state potentially. The company addressed the vulnerability with improved state management.

“An app may be able to modify sensitive kernel state. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7.1” reads the advisory published by Apple.

The vulnerability CVE-2023-38606 is one of the flaws exploited by the threat actors in the Operation Triangulation.

In early June, researchers from the Russian firm Kaspersky uncovered a previously unknown APT group that is targeting iOS devices with zero-click exploits as part of a long-running campaign dubbed Operation Triangulation.

The experts discovered the attack while monitoring the network traffic of their own corporate Wi-Fi network dedicated to mobile devices using the Kaspersky Unified Monitoring and Analysis Platform (KUMA).

According to Kaspersky researchers, Operation Triangulation began at least in 2019 and is still ongoing.

The attack chains commenced with a message sent via the iMessage service to an iOS device. The message has an attachment containing an exploit. The expert explained that the message triggers a remote code execution vulnerability without any user interaction (zero-click).

Shortly after Kaspersky’s disclosure, Russia’s FSB accused the US intelligence for the attacks against the iPhones. According to Russian intelligence, thousands of iOS devices belonging to domestic subscribers and diplomatic missions and embassies have been targeted as part of Operation Triangulation.

The operations aimed at gathering intelligence from diplomats from NATO countries, Israel, China and Syria.

FSB believes that Apple supported US intelligence in this cyberespionage campaign.

Other zero-day flaws exploited during the operation are CVE-2023-32434 and CVE-2023-32435, which were both addressed by Apple in June.

Apple released the following updates:

Name and information link	Available for	Release date
Safari 16.6	macOS Big Sur and macOS Monterey	24 Jul 2023
iOS 16.6 and iPadOS 16.6	iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later	24 Jul 2023
iOS 15.7.8 and iPadOS 15.7.8	iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)	24 Jul 2023
macOS Ventura 13.5	macOS Ventura	24 Jul 2023
macOS Monterey 12.6.8	macOS Monterey	24 Jul 2023
macOS Big Sur 11.7.9	macOS Big Sur	24 Jul 2023
tvOS 16.6	Apple TV 4K (all models) and Apple TV HD	24 Jul 2023
watchOS 9.6	Apple Watch Series 4 and later	24 Jul 2023

Recently Apple has re-released its Rapid Security Response updates to address the CVE-2023-37450 flaw in iOS and macOS after fixing browsing issues on certain websites caused by the first RSR issued by the company.

On July 10, Apple released Rapid Security Response updates for iOS, iPadOS, macOS, and Safari web browser to address the zero-day flaw that has been actively exploited in the wild.

Tricking the victim into processing specially crafted web content may lead to arbitrary code execution.

The flaw resides in the WebKit and Apple addressed it by improving checks.

“Processing web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.” reads the advisory published by Apple.

The vulnerability CVE-2023-37450 was reported to the company by an anonymous researcher.

The IT giant did not reveal details about the attacks in the wild exploiting this issue or the nature of the threat actors.

Follow me on Twitter: @securityaffairs Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, zero-day)