Roughly three weeks after Kaspersky disclosed an integer overflow in kernel vulnerability which may have been actively exploited in iOS version 15.7 and older, Apple has released security updates fixing the following vulnerabilities.
- CVE-2023-32434: Integer overflow vulnerability in the Kernel, allowing a malicious app to run arbitrary code and gain elevated privileges. There are reports of active exploitation in the wild before iOS version 15.7.
- CVE-2023-32439: Type confusion vulnerability in Webkit. Exploitation via maliciously crafted web content can lead to arbitrary code execution. Apple is “aware of a report” that this vulnerability might have been actively exploited.
Out of the two bugs, Kaspersky reported CVE-2023-32434, which came to light via a targeted attack on Kaspersky management. Even though the company said that it was confident that it wasn’t the main target of the attack, it had to analyse its own devices for samples and threat hunting instead of its customers, which is usually the case.
The Kaspersky report detailed a new iOS malware strain which was apparently injected automatically onto infected devices without any interaction required from the users. Generally, iPhone malware needs to bypass not only the Apple Store’s security measures but also its app separation, which limits the reach of every app to its own data.
Bypassing both these measures generally indicates a zero-day kernel exploit. Considering how the threat actors were able to deliver the malicious payload and trigger it on the target device without requiring user interaction, it’s safe to assume that they’re aware of a zero-day exploit that can be triggered remotely.
Regardless, the latest update from Apple fixes the issue on iOS, iPadOS, all three versions of macOS (Ventura, Monterey and Big Sur) and watchOS. The only device that hasn’t seen an update yet is tvOS. In other words, unless you’ve already updated to the latest patches from Apple pretty much every Apple device you use is vulnerable to the kernel bug.
In the News: Asus ROG Ally is going on sale in India from July 12