Patch Your Apple Devices NOW! Apple Fixes Third 0-day used in iOS Triangulation Exploit Chain

The story of the #iOSTriangulation in-the-wild 0-days continues with CVE-2023-38606 - another kernel vulnerability that was used in the zero-click exploit chain detailed last month.

Just over a month after 苹果 first fixed two zero-days that enabled attackers to run zero-click iMessage exploits on iOS and Mac devices, the Cupertino-based tech giant on Monday released a fix for a third Kernel-level zero-day that was used in the same zero-click exploit chain.

Tracked as CVE-2023-38606, the #zeroday is a Kernel vulnerability that permits a malicious application to modify sensitive kernel state. The zero-day was observed being exploited in attacks targeting devices run on older iOS versions - in particular versions released before iOS 15.7.1, Apple said in its security advisory.

Apple gave limited details of the fix and said they addressed this vulnerability with improved state management.

The tech giant attributed the latest zero-day finding to Kaspersky's security researcher trio of Georgy Kucherin , Leonid Bezvershenko and Boris Larin who last month were credited for reporting two other zero-days used to infect iPhone devices with spyware implant dubbed #TriangleDB via zero-click iMessage exploits.

The story of the #iOSTriangulation in-the-wild 0-days continues! CVE-2023-38606 is another kernel vulnerability that was used in the 0-click exploit chain. Discovered by Valentin Pashkov, Mikhail Vinogradov, @kucher1n, @bzvr_, and yours truly. Update all your Apple devices! - Boris Larin

Russian domestic intelligence agency the Federal Security Service had earlier said it uncovered several thousand iPhones infected with the same malware and accused Apple of collaborating with the U.S. National Security Agency. Russia's CERT released an alert linking FSB's statement to Kaspersky 's report.

An Apple spokesperson quashed these claims and said, "We have never worked with any government to insert a backdoor into any Apple product and never will," but Russia has now imposed a ban on iPhone usage by government employees post the discovery of the spyware campaign.

Other Zero-day Fix

Two weeks ago, Apple users with recent hardware were urged to install the company's second-ever out-of-band Rapid Response patch - iOS 16.5.1 (c) and iPadOS 16.5.1 (c), which addressed another zero-day, CVE-2023-37450.

The vulnerability, tracked as?CVE-2023-37450, is a WebKit bug that allows attackers to execute arbitrary code on targeted devices when victims open maliciously crafted web content. "Apple is aware of a report that this issue may have been actively exploited," the security advisory said. The tech giant said it fixed the issue with improved checks for malware.

With the latest security update, Apple released a regular fix for those who skipped the Rapid Response CVE-2023-37450 fix or who had older devices that were not eligible for RSR patch at the time.

CISA encouraged users and administrators to review the security advisories and apply the necessary updates.