Apple has pushed fixes for three exploited zero day vulnerabilities, one of which allowed a victim to be infected by a malicious iMessage without user interaction.
Two of the zero day vulnerabilities, CVE-2023-32434 and CVE-2023-32435, are being used in a campaign to drop spyware on target devices.
CVE-2023-32434 is a kernel bug, with Apple saying that “an app may be able to execute arbitrary code with kernel privileges."
"Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7,” it said..
CVE-2023-32435 is a Webkit bug offering a vector to remote code execution (RCE) when a device is processing web content. Again, Apple has been alerted to active exploitation.
Discovery of the bugs is attributed to Kaspersky’s Georgy Kucherin, Leonid Bezvershenko, and Boris Larin, who in this blog post explain that the bugs have been used to distribute the Triangulation spyware.
“The implant, which we dubbed TriangleDB, is deployed after the attackers obtain root privileges on the target iOS device by exploiting a kernel vulnerability,” Kaspersky said.
“It is deployed in memory, meaning that all traces of the implant are lost when the device gets rebooted.
"Therefore, if the victim reboots their device, the attackers have to reinfect it by sending an iMessage with a malicious attachment, thus launching the whole exploitation chain again.”
The implant analysed by Kaspersky has commands for filesystem interaction (create, modify, exfiltrate and remove files); process interaction (listing and terminating processes); keychain access; monitoring the user’s location; and running other executables.
The kernel vulnerability is present in watchOS 8.8.1 and 9.5.2, macOS Big Sur 11.7.8; macOS Big Sur 11.7.8, Monterey 12.6.7, iOS 16.5.1 and iPadOS 16.5.1.
macOS Ventura 13.4.1, iOS 15.7.7, and iPadOS 15.7.7 have both the kernel bug and the Webkit bug.
The patches Apple pushed today also include a fix for another Webkit zero day, CVE-2023-32439, another RCE that can be triggered by crafted web content, and which may have been exploited.
The GitHub pull request for the fix said the bug created the potential for a hash collission, but did not explain how that might be exploited.