Apple rolled out security updates to iOS, iPadOS, macOS, tvOS, watchOS, and Safari to address critical security vulnerabilities in the products.
Among the patched vulnerabilities is the particularly concerning zero-day bug, CVE-2023-38606, which was actively exploited in the wild. This flaw resides in the kernel and allows a malicious app to modify a sensitive kernel state. The latest updates are available for various devices and operating systems. It could allow a malicious app to execute arbitrary code with kernel privileges, enabling an attacker to run any command on a targeted iPhone or iPad.
To safeguard against this risk, users of iPhone 8 and, later, iPad Pro (3rd generation) and, later, iPad Air (3rd generation) and later, and iPad mini (5th generation) are urged to install the patch. Apple has now fixed this issue with improved kernel state management.
The tech giant has acknowledged that the zero-day bug may have been actively exploited against versions of iOS released before iOS 15.7.1. This marks the third security vulnerability connected to Operation Triangulation, a sophisticated mobile cyber espionage campaign targeting iOS devices since 2019.
The other two zero-days, CVE-2023-32434 and CVE-2023-32435, were patched by Apple last month. Credit for discovering and reporting the flaw goes to Kaspersky researchers Valentin Pashkov, Mikhail Vinogradov, Georgy Kucherin, Leonid Bezvershenko, and Boris Larin.
Among the other vulnerabilities resolved, one affects the Find My app, which, if exploited, could divulge sensitive location information. The fix will be available for the iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later.
Additional vulnerabilities impacting the iOS and iPadOS kernels were also disclosed by Apple. They include potential elevation of privileges, leading to unauthorized control beyond standard user rights, and denial-of-service attacks, which could hinder user access to desired features and apps. Furthermore, a vulnerability could grant an attacker root privileges, allowing them to create backdoors, insert trojans, or delete user information from the device.
The update also includes fixes for two vulnerabilities in the WebKit browser engine, one of which was actively exploited. Users are strongly advised to install the updates promptly to enhance the security of their devices.
Apart from that, tvOS 16.6 update is available for Apple TV 4K (all models), and Apple TV HD and watchOS 9.6 update applies to Apple Watch Series 4 and later.
In the News: Encrypted police, military Tetra radios used globally are at risk
