Sign Up
All SecurityCyber-crimePatchesResearchCSO
All Off-PremEdge + IoTChannelPaaS + IaaSSaaS
All On-PremSystemsStorageNetworksHPCPersonal TechCxOPublic Sector
All SoftwareAI + MLApplicationsDatabasesDevOpsOSesVirtualization
All OffbeatDebatesColumnistsScienceGeek's GuideBOFHLegalBootnotesSite NewsAbout Us

Security

Patches

Apple patches exploited bugs in iPhones plus other holes

One spotted by Amnesty International - wonder what that was used for?

Jessica Lyons Hardcastle Tue 25 Jul 2023  //  21:29 UTC

Apple has released fixes for several security flaws that affect its iPhones, iPads, macOS computers, and Apple TV and watches, and warned that some of these bugs have already been exploited.

Here's a quick list of all of the security updates released late on Monday afternoon:

On Tuesday the US government's Cybersecurity and Infrastructure Security Agency (CISA) sounded the alarm, too, warning that "an attacker could exploit some of these vulnerabilities to take control of an affected device." CISA urged users and admins to apply the software updates, and check automatic patching systems are working properly. We second that opinion.  

One of the bugs, CVE-2023-32409, in Apple's WebKit browser engine affects iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation). This one was discovered by Clément Lecigne of Google's Threat Analysis Group (TAG) and Donncha Ó Cearbhaill of Amnesty International's Security Lab. 

"A remote attacker may be able to break out of Web Content sandbox," according to the iGiant's advisory. "Apple is aware of a report that this issue may have been actively exploited."

Apple says it has fixed the issue by improving bounds checks. And although the tech giant never provides details about how the vulnerability was abused, or by whom, the bug hunters who spotted the software nasty would seem to indicate that it's being used to deploy spyware onto victims' devices. 

TAG tracks more than 30 commercial spyware makers that sell exploits and surveillance software. Journalists, activists, and political dissidents tend to be targeted by snoopware, which Amnesty takes a keen interest in scrutinizing.

Kaspersky digs into kernel

In this same batch of security updates, Apple said it fixed a kernel-level bug, CVE-2023-38606, for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation). That flaw has likely been exploited in the wild, it appears.

"An app may be able to modify sensitive kernel state," the iPhone maker warned. "Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7.1."

Apple credits Kaspersky researchers Valentin Pashkov, Mikhail Vinogradov, Georgy Kucherin, Leonid Bezvershenko, and Boris Larin with finding this bug, which looks similar to the kernel vulnerability used to infect iPhones with TriangleDB spyware, also uncovered by the aforementioned team.

This latest kernel bug, CVE-2023-38606, affects several other Apple products, too, including Macs running macOS Ventura, Monterey, and Big Sur, the Apple Watch Series 4 and later, Apple TV 4K (all models), and Apple TV HD.

Another vulnerability in WebKit, in tvOS 16, watchOS 9.6, macOS Ventura, iOS 16, and iPadOS 16, tracked as CVE-2023-37450, may also have been exploited before Apple pushed patches, we're told. The flaw, reported by an anonymous researcher, occurs when processing web content, which may lead to arbitrary code execution. Patches are available for all Apple TV 4K models, Apple TV HD boxes, Apple Watch Series 4 and later, and Macs running Ventura.

Previously, Apple fixed this same issue in some iPhones and iPads via a "rapid security response" in iOS 16.5.1 (c) and iPadOS 16.5.1 (c). These are the new type of patches that Apple began rolling out in May, with mixed results

The patches are supposed to be downloaded and applied automatically to immediately protect devices from exploitation, thus avoiding the usual system update cycle that users may put off or miss, and thus leave their kit vulnerable. ®
Send us news
13 Comments

Apple slaps patch on WebKit holes in iPhones and Macs amid fears of active attacks

Two CVEs can be abused to steal sensitive info or execute code

Uh-oh, update Google Chrome – exploit already out there for one of these 6 security holes

Plus: 3 critical CVEs in Zyxel NAS devices

Goldman sacked: Apple 'wants out' of credit card collab

Don't be too shocked: Financial giant has been fleeing normie banking lately after failing to find footing

The 15-inch MacBook Air just nails it

Vast battery life, zippy performance, and rich speakers make an impressive package

Five Eyes nations warn Moscow's mates at the Star Blizzard gang have new phishing targets

The Russians are coming! Err, they've already infiltrated UK, US inboxes

US senator claims Google and Apple reveal push notification data to foreign govs

Cupertino promises to reveal its data deliveries, ending silence on the matter

Apple and some Linux distros are open to Bluetooth attack

Issue has been around since at least 2012

Steve Jobs' $4.01 RadioShack check set to fetch small fortune at auction

Talk about inflation – bids are now closing in on $30K

Ex-school IT admin binned student, staff accounts and trashed phone system

After getting the tintack, IRL BOFH went rogue

Dump C++ and in Rust you should trust, Five Eyes agencies urge

Memory safety vulnerabilities need to be crushed with better code

Weak session keys let snoops take a byte out of your Bluetooth traffic

BLUFFS spying flaw present in iPhones, ThinkPad, plenty of chipsets

Cisco intros AI to find firewall flaws, warns this sort of thing can't be free

Predicts cyber crims will find binary brainboxes harder to battle