![\"\"](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2023\/06\/Apple-software-update-red-critical-urgent-running-from-TriangleDB-malware-600x300-1.jpg\")
<\/p>\n<\/p>\n
On Wednesday, June 21, Apple released updates to its mobile, watch, and desktop operating systems. Both iOS 16.5.1 and iPadOS 16.5.1 include a fix for “an issue that prevents charging with the Lightning to USB 3 Camera Adapter.”<\/p>\n
However, the primary purpose of the updates was providing security fixes for three “actively exploited” vulnerabilities. Two of those vulnerabilities had reportedly been used in recurring attacks to infect Russians’ iPhones with spyware.<\/p>\n
Let’s take a look at the highlights of each update.<\/p>\n
In this article:<\/em><\/p>\n In total, Apple addressed three “actively exploited” (i.e. in-the-wild) vulnerabilities<\/strong> in this week’s updates. The kernel vulnerability (CVE-2023-32434) was addressed for all supported versions of macOS, iOS, iPadOS, and watchOS. One of the WebKit vulnerabilities (CVE-2023-32439) was patched for all supported versions of macOS, iOS, and iPadOS. A second WebKit vulnerability (CVE-2023-32435) was only patched for iOS and iPadOS 15.<\/p>\n Kernel Impact: An app may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited<\/span> against versions of iOS released before iOS 15.7.<\/p>\n Description: An integer overflow was addressed with improved input validation.<\/p>\n CVE-2023-32434: Georgy Kucherin (@kucher1n), Leonid Bezvershenko (@bzvr_), and Boris Larin (@oct0xor) of Kaspersky<\/p>\n <\/p>\n WebKit<\/strong><\/p>\n Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.<\/span><\/p>\n Description: A type confusion issue was addressed with improved checks.<\/p>\n WebKit Bugzilla: 256567 <\/p>\n WebKit<\/strong><\/p>\n Available for: iOS 15.7.7 and iPadOS 15.7.7 \u2014 for iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)<\/p>\n Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited<\/span> against versions of iOS released before iOS 15.7.<\/p>\n Description: A use-after-free issue was addressed with improved memory management.<\/p>\n WebKit Bugzilla: 251890 You may note that Apple credits a trio of Kaspersky researchers for both the kernel vulnerability and the second WebKit vulnerability. <\/a>Kaspersky is a multinational antivirus company with its main headquarters in Moscow, Russia. There’s a story behind the discovery of these vulnerabilities.<\/p>\n On June 1, Russia’s Federal Security Service (FSB) publicly alleged<\/a> that an espionage operation had compromised several thousands iPhones in Russia, and claimed that it believed that Apple worked closely with the U.S. National Security Agency (NSA) on the spying campaign. On the June 15 episode<\/a> of the Intego Mac Podcast<\/a>, we discussed the implausibility of the allegation that Apple had collaborated with a U.S. spy agency (jump to 6:15 in the player below, or jump to that part of the episode transcript<\/a>).<\/p>\n\n
\n
Apple addresses 3 zero-days, 2 of which were used against Russian targets<\/h3>\n
\n<\/strong><\/p>\n
\nCVE-2023-32439: an anonymous researcher<\/p>\n
\nCVE-2023-32435: Georgy Kucherin (@kucher1n), Leonid Bezvershenko (@bzvr_), and Boris Larin (@oct0xor) of Kaspersky<\/p><\/blockquote>\nOperation Triangulation, and TriangleDB iOS (and macOS?) malware<\/strong><\/h4>\n