Apple has patched an exploited zero-day kernel vulnerability (CVE-2023-38606) in iOS, iPadOS, macOS, watchOS and tvOS.
CVE-2023-38606 fix has been backported
In early July, Apple fixed an actively exploited zero-day vulnerability (CVE-2023-37450) in WebKit.
The vulnerability has been patched via a Rapid Security Response update in iOS 16.5.1 and iPadOS 16.5.1, macOS Ventura 13.4.1, and in Safari (16.5.2) via a regular update, thus also delivering the fix to users of older macOS versions (macOS Big Sur and macOS Monterey).
Those patches have now been backported and included in:
The fix was not included in Safari 16.6 (since it was covered by the previous Safari 16.5.2 update), nor in macOS Monterey 12.6.8 and macOS Big Sur 11.7.9 (for the same reason).
About CVE-2023-38606
The July 24 security updates have fixed a variety of vulnerabilities affecting the various OS releases, including another zero-day vulnerability exploited by attackers (CVE-2023-38606).
CVE-2023-38606 is a kernel vulnerability that may allow a malicious app to modify sensitive kernel state. “Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7.1,” Apple commented.
The vulnerability was reported by Kaspersky researchers Valentin Pashkov, Mikhail Vinogradov, Georgy Kucherin, Leonid Bezvershenko, and Boris Larin, and forms a part of the exploit chain used by iOS spyware the researchers dubbed TriangleDB. (Two vulnerabilities used in the same chain have been fixed by Apple in late June.)
Attacks leveraging the TriangleDB spyware seem to have been very targeted; Kaspersky has provided a tool users can use to check whether they are among the victims.
Users of Apple devices are advised to implement the latest updates as soon as possible.