Apple patches exploits used in spy campaign ‘Operation Triangulation’

Apple has shipped patches for the remote code execution (RCE) vulnerabilities in iOS that have already been exploited in the wild under the digital spy campaign, dubbed Operation Triangulation.

The campaign used two zero-click iMessage exploits and compromises without any user interactions based on a pair of bugs respectively in the kernel and Webkit.

Apple has attributed the discovery of these vulnerabilities to Kaspersky Lab just two weeks after the Russian cybersecurity firm reported discovering an advanced persistent threat (APT) actor launching zero-click iMessage exploits on Russian iOS devices.

Apple patches are vulnerable including the latest versions

Apple characterized the exploited vulnerabilities as problems related to memory corruption within the kernel (CVE-2023-32434), which enables an application to execute arbitrary code with kernel privileges, and an issue identified in WebKit (CVE-2023-32435), which allows code execution through web content.

To address these issues the company has rolled out patches in the latest updates of its operating systems iOS 16.5.1, iPadOS 16.5.1, iOS 15.7.7, and iPadOS 15.7.7.

The fixes have been released both for the latest version (iOS 16.5.1) and the original vulnerable version (before iOS 15.7). Apple noted that the attacks have only been seen on devices running iOS versions older than iOS 15.7.