Apple patched several zero-click vulnerabilities in its iOS, iPadOS, macOS, and watchOS operating systems.
Two of the bugs (CVE-2023-32439, and CVE-2023-32435) reside in the WebKit browser engine and can be exploited to execute arbitrary code on the target system using a specially crafted webpage.
The third zero-day, tracked as CVE-2023-32434, is an integer overflow in the kernel that can allow a local application to escalate privileges on the system.
Apple has not shared additional information on attacks exploiting the above mentioned security flaws, but noted that CVE-2023-32434 and CVE-2023-32435 “may have been actively exploited against versions of iOS released before iOS 15.7.”
The two bugs were reportedly exploited to deliver the TriangleDB spyware implant to iOS devices as part of a campaign called Operation Triangulation.
Last month, Apple fixed three WebKit zero-days that allowed to remotely execute code on the system, or gain access to potentially sensitive information.