Apple has recently announced and patched three zero-day vulnerabilities for multiple software products. It was reported that attackers have been exploiting these vulnerabilities and might be able to compromise the whole system. Affected software versions include the versions before Safari 16.5.1, iOS 16.5.1, iPadOS 16.5.1, iOS 15.7.7, iPadOS 15.7.7, macOS Ventura 13.4.1, macOS Monterey 12.6.7, macOS Big Sur 11.7.8, watchOS 9.5.2, and watchOS 8.8.1.
As for the three zero-day vulnerabilities, they are CVE-2023-32434, CVE-2023-32435, and CVE-2023-32439. Since CVE-2023-32434 is related to the kernel, attackers could exploit the vulnerability to execute arbitrary code with kernel privileges. For CVE-2023-32435 and CVE-2023-32439, attackers could exploit these vulnerabilities by sending a phishing message to users and tricking them to visit a malicious website or install a malicious app.
There are reports that CVE-2023-32434 and CVE-2023-32435 are related to the Operation Triangulation attack campaigns. According to the research from international cyber security company Kaspersky, the attack mentioned in Operation Triangulation does not require any user interaction. The attacker simply sends a message with a malicious attachment to the victim’s device via the iMessage service to exploit the vulnerability to execute arbitrary code with root privileges, thereby implanting a payload into the device’s memory.
The research mentioned that successful exploit of vulnerabilities has been found in versions prior to iOS 15.7, but it can’t be guaranteed that other versions of iOS are not affected. Successful exploits can give attackers the capability to interact with the victim’s device file system, including the creation, modification, exfiltration and removal of files, dump the victim’s keychain items, and monitor the victim’s geolocation, etc.
The Hong Kong Computer Emergency Response Coordination Centre (HKCERT) of the Hong Kong Productivity Council calls on local Apple device users to have system updates as soon as possible to block malicious attacks caused by vulnerabilities. Programmes should be kept up to date. Also, programmes should only be downloaded from official app stores. Mobile device users can also install reliable antivirus applications to detect known malicious programmes and malicious websites; and set device password locks or screen locks to ensure that when the device is stolen or lost, the data will not be easily stolen by others. Finally, remember not to try to install more functions, unlock the mobile device (Jailbreak), and cancel the original security mechanism.
For more information, please visit:
https://www.hkcert.org/security-bulletin/apple-products-multiple-vulnerabilities_20230623
Businesses or members of the public who wish to report to HKCERT on information security-related incidents such as malware, phishing, denial of service attacks, etc. can do so by completing the online form at: https://www.hkcert.org/incident-reporting, or calling the 24-hour hotline at +852 8105 6060. For further enquiries, please contact HKCERT at hkcert@hkcert.org.