Apple released security updates for its iOS, macOS and iPadOS platforms to address a slew of vulnerabilities, including a couple of zero-days exploited by hackers.
One of the zero-day flaws is CVE-2023-38606, a new kernel bug exploited in attacks targeting devices running older iOS versions released before iOS 15.7.1. The vulnerability exists due to a boundary error within the OS kernel. A local application can trigger memory corruption and execute arbitrary code with elevated privileges.
“An app may be able to modify sensitive kernel state. Apple is aware of a report that this issue may have been actively exploited,” the Cupertino device maker said in a security alert.
CVE-2023-38606 is said to be part of a zero-click exploit chain used to infect iPhones with the Triangulation spyware via iMessage exploits.
The second zero-day (CVE-2023-37450) is a remote code execution flaw that stems from a boundary error when processing HTML content in WebKit. A malicious hacker can create a specially crafted website, trick the victim into visiting it, trigger memory corruption and execute arbitrary code on the target system.
In total, the updates address at least 25 security issues in Apple’s operating systems, including bugs that could be used for privilege escalation, data theft, and remote code execution.