Apple Fixes New Zero-Day Used in Attacks Against iPhones, Macs

Cyber Security Threat Summary:
Apple has released security updates to address a zero-day vulnerability that was exploited in attacks targeting iPhones, Macs, iPads. Tracked as CVE-2023-38606, the flaw relates to a shortcoming in the kernel that could allow a malicious application to potentially modify sensitive kernel states. The flaw was fixed with improved checks with updates being released for the following devices and operating systems:

  • iOS 16.6 and iPadOS 16.6 - iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later
  • iOS 15.7.8 and iPadOS 15.7.8 - iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)
  • macOS Ventura 13.5, macOS Monterey 12.6.8, and macOS Big Sur 11.7.9
  • tvOS 16.6 - Apple TV 4K (all models) and Apple TV HD, and
  • watchOS 9.6 Apple Watch Series 4 and later
Security Officer Comments:
Apple says it is aware that the flaw may have been actively exploited against versions of iOS released before iOS 15.7.1. As of writing, the technical details have been released to give users enough time to apply the updates. However, according to security experts at Kaspersky, CVE-2023-38606 was used as part of a zero-click exploit chain to deploy Triangulation spyware on iPhones via iMessage exploits.

Suggested Correction(s):
Users are advised to apply the latest updates as soon as possible to prevent potential exploitation attempts.

Link(s):
https://www.bleepingcomputer.com/