Three actively exploited vulnerabilities have recently been patched by Apple, two of which have been used to deploy Triangulation spyware onto iOS devices. Russian security firm Kaspersky published a report investigating the use of these vulnerabilities in what they have termed ‘Operation Triangulation’ which involves the implant of TriangleDB (Kaspersky’s term) on vulnerable iOS devices. This implant is written in Objective-C and deployed into the memory, causing any trace of the implant to be lost when the device is restarted. This zero-click exploit was able to be deployed through iMessages sent to vulnerable devices. Attackers first exploit the two zero-day Kernel and WebKit vulnerabilities to achieve the root level privileges needed to deploy this triangulation spyware.   

The first vulnerability used in this exploit is tracked as CVE-2023-32434 and is found in the Kernel of vulnerable iOS, iPadOS, watchOS, and macOS devices. This flaw occurs due to an integer overflow where the value of the integer variable attempted to be stored is larger than the maximum value the variable can hold. An exploitation of this flaw gives the attacker the ability to execute arbitrary code with kernel level privileges. This has been resolved in the recent updates through improved input validation. 

The second vulnerability involved in the spyware deployment exploit is CVE-2023-32435, a memory corruption flaw found in the WebKit of vulnerable iOS, iPadOS, and macOS devices, also affecting Safari versions before 16.4. This flaw can be exploited through the processing of maliciously crafted web content which can result in arbitrary code execution on the vulnerable device. This has been resolved in the recent updates through improved state management. 

A third vulnerability also believed to be actively exploited however not involved in the spyware deployment was patched in these updates. Tracked as CVE-2023-32439 this WebKit vulnerability also can allow for arbitrary code execution through the processing of maliciously crafted web content. This is a type confusion flaw that has been resolved in the recent updates through improved checks.  

These vulnerabilities have been patched in iOS 16.5.1 and iPadOS 16.5.1, iOS 15.7.7 and iPadOS 15.7.7, watchOS 9.5.2, watchOS 8.8.1, macOS Ventura 13.4.1, macOS Big Sur 11.7.8, macOS Monterey 12.6.7, and Safari 16.5.1. Apple have also released a support article to advise users of how to stay safe against threat-sponsored attacks, including advice such as keeping your devices up to date, using multi-factor authentication, and not clicking on any links or attachments from unknown senders.