Apple patches exploited bugs in iPhones plus other holes
One spotted by Amnesty International - wonder what that was used for?
Apple has released fixes for several security flaws that affect its iPhones, iPads, macOS computers, and Apple TV and watches, and warned that some of these bugs have already been exploited.
Here's a quick list of all of the security updates released late on Monday afternoon:
- Safari 16.6
- iOS 16.6 and iPadOS 16.6
- iOS 15.7.8 and iPadOS 15.7.8
- macOS Ventura 13.5
- macOS Monterey 12.6.8
- macOS Big Sur 11.7.9
- tvOS 16.6
- watchOS 9.6
On Tuesday the US government's Cybersecurity and Infrastructure Security Agency (CISA) sounded the alarm, too, warning that "an attacker could exploit some of these vulnerabilities to take control of an affected device." CISA urged users and admins to apply the software updates, and check automatic patching systems are working properly. We second that opinion.
One of the bugs, CVE-2023-32409, in Apple's WebKit browser engine affects iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation). This one was discovered by Clément Lecigne of Google's Threat Analysis Group (TAG) and Donncha Ó Cearbhaill of Amnesty International's Security Lab.
"A remote attacker may be able to break out of Web Content sandbox," according to the iGiant's advisory. "Apple is aware of a report that this issue may have been actively exploited."
Apple says it has fixed the issue by improving bounds checks. And although the tech giant never provides details about how the vulnerability was abused, or by whom, the bug hunters who spotted the software nasty would seem to indicate that it's being used to deploy spyware onto victims' devices.
TAG tracks more than 30 commercial spyware makers that sell exploits and surveillance software. Journalists, activists, and political dissidents tend to be targeted by snoopware, which Amnesty takes a keen interest in scrutinizing.
Kaspersky digs into kernel
In this same batch of security updates, Apple said it fixed a kernel-level bug, CVE-2023-38606, for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation). That flaw has likely been exploited in the wild, it appears.
"An app may be able to modify sensitive kernel state," the iPhone maker warned. "Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7.1."
Apple credits Kaspersky researchers Valentin Pashkov, Mikhail Vinogradov, Georgy Kucherin, Leonid Bezvershenko, and Boris Larin with finding this bug, which looks similar to the kernel vulnerability used to infect iPhones with TriangleDB spyware, also uncovered by the aforementioned team.
- Apple squashes kernel bug used by TriangleDB spyware
- Apple pushes first-ever 'rapid' patch – and rapidly screws up
- US adds Euro spyware makers to export naughty list
- AMD Zenbleed chip bug leaks secrets fast and easy
This latest kernel bug, CVE-2023-38606, affects several other Apple products, too, including Macs running macOS Ventura, Monterey, and Big Sur, the Apple Watch Series 4 and later, Apple TV 4K (all models), and Apple TV HD.
Another vulnerability in WebKit, in tvOS 16, watchOS 9.6, macOS Ventura, iOS 16, and iPadOS 16, tracked as CVE-2023-37450, may also have been exploited before Apple pushed patches, we're told. The flaw, reported by an anonymous researcher, occurs when processing web content, which may lead to arbitrary code execution. Patches are available for all Apple TV 4K models, Apple TV HD boxes, Apple Watch Series 4 and later, and Macs running Ventura.
Previously, Apple fixed this same issue in some iPhones and iPads via a "rapid security response" in iOS 16.5.1 (c) and iPadOS 16.5.1 (c). These are the new type of patches that Apple began rolling out in May, with mixed results.
The patches are supposed to be downloaded and applied automatically to immediately protect devices from exploitation, thus avoiding the usual system update cycle that users may put off or miss, and thus leave their kit vulnerable. ®