Security & Privacy

Apple patches vulns used to infect Russian iPhones with TriangleDB malware

Posted on by

On Wednesday, June 21, Apple released updates to its mobile, watch, and desktop operating systems. Both iOS 16.5.1 and iPadOS 16.5.1 include a fix for “an issue that prevents charging with the Lightning to USB 3 Camera Adapter.”

However, the primary purpose of the updates was providing security fixes for three “actively exploited” vulnerabilities. Two of those vulnerabilities had reportedly been used in recurring attacks to infect Russians’ iPhones with spyware.

Let’s take a look at the highlights of each update.

In this article:

Apple addresses 3 zero-days, 2 of which were used against Russian targets

In total, Apple addressed three “actively exploited” (i.e. in-the-wild) vulnerabilities in this week’s updates. The kernel vulnerability (CVE-2023-32434) was addressed for all supported versions of macOS, iOS, iPadOS, and watchOS. One of the WebKit vulnerabilities (CVE-2023-32439) was patched for all supported versions of macOS, iOS, and iPadOS. A second WebKit vulnerability (CVE-2023-32435) was only patched for iOS and iPadOS 15.

Kernel

Impact: An app may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7.

Description: An integer overflow was addressed with improved input validation.

CVE-2023-32434: Georgy Kucherin (@kucher1n), Leonid Bezvershenko (@bzvr_), and Boris Larin (@oct0xor) of Kaspersky

 

WebKit

Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

Description: A type confusion issue was addressed with improved checks.

WebKit Bugzilla: 256567
CVE-2023-32439: an anonymous researcher

 

WebKit

Available for: iOS 15.7.7 and iPadOS 15.7.7 — for iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)

Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7.

Description: A use-after-free issue was addressed with improved memory management.

WebKit Bugzilla: 251890
CVE-2023-32435: Georgy Kucherin (@kucher1n), Leonid Bezvershenko (@bzvr_), and Boris Larin (@oct0xor) of Kaspersky

You may note that Apple credits a trio of Kaspersky researchers for both the kernel vulnerability and the second WebKit vulnerability. Kaspersky is a multinational antivirus company with its main headquarters in Moscow, Russia. There’s a story behind the discovery of these vulnerabilities.

Operation Triangulation, and TriangleDB iOS (and macOS?) malware

On June 1, Russia’s Federal Security Service (FSB) publicly alleged that an espionage operation had compromised several thousands iPhones in Russia, and claimed that it believed that Apple worked closely with the U.S. National Security Agency (NSA) on the spying campaign. On the June 15 episode of the Intego Mac Podcast, we discussed the implausibility of the allegation that Apple had collaborated with a U.S. spy agency (jump to 6:15 in the player below, or jump to that part of the episode transcript).

The same day, Kaspersky’s CEO claimed that “both middle and top management” at Kaspersky had found evidence of infections on their iPhones. Reportedly, the infections were delivered by exploiting “a number of vulnerabilities” in iOS, via “an invisible iMessage with a malicious attachment.” Kaspersky released detailed reports referring to the campaign as Operation Triangulation, and the iOS spyware as Triangulation or TriangleDB. They claimed that the attack was “ongoing” as of June 1, but that the newest iOS version they had seen infected was iOS 15.7 (which was released in September 2022—this underscores the importance of staying up to date with all Apple security updates). Kaspersky indicated that other vulnerabilities besides those listed above may have been used in this campaign, “most likely” including CVE-2022-46690, which was fixed in iOS 16.2 (but was not listed as “actively exploited”).

Although a Mac version of the TriangleDB malware has not yet been discovered, there are hints in the iOS version’s code that a macOS version may also exist.

If any doubt remained about whether some real-world vulnerabilities had been exploited as part of a cyber-espionage campaign, Apple dispelled that doubt with the release of its patches on Wednesday, June 21. Apple credited three of the Kaspersky researchers who did the technical research and reporting on the vulnerabilities earlier this month, and noted that both vulnerabilities “may have been actively exploited”—which sounds wishy-washy, but is as clear as Apple ever gets when there is clear confirmation of active exploitation in the wild.

macOS Ventura 13.4.1

Available for:
All supported Macs currently running macOS Ventura

As of this moment, it appears that Apple addressed only two vulnerabilities in this update: CVE-2023-32434 and CVE-2023-32439. However, Apple sometimes updates past advisories with additional disclosures. See Apple’s page about the security content of macOS Ventura 13.4.1.

Users of macOS Ventura can get this update by going to System Settings > General > Software Update.

If your Mac is running macOS Mojave, Catalina, Big Sur, or Monterey, and your Mac is compatible with macOS Ventura, you can upgrade to macOS Ventura by going to System Preferences > Software Update. If your Mac is running macOS High Sierra or older and is compatible with macOS Ventura, look for macOS Ventura in the Mac App Store and download it from there.

macOS Monterey 12.6.7, macOS Big Sur 11.7.8, and Safari 16.5.1

Available for:
All supported Macs currently running macOS Monterey or macOS Big Sur

As of this moment, it appears that Apple addressed the same two vulnerabilities for macOS Monterey and macOS Big Sur that it addressed in macOS Ventura. However, Apple sometimes updates past advisories with additional disclosures. Like usual, Apple released a separate Safari update addressing the WebKit vulnerability, rather than bundling the fix directly into the Monterey and Big Sur updates as it does with the current macOS version. See Apple’s pages about the security content of macOS Monterey 12.6.7, macOS Big Sur 11.7.8, and Safari 16.5.1 for macOS Monterey and Big Sur.

Notably, while macOS Monterey and macOS Big Sur got the same patches as macOS Ventura this time, Apple frequently chooses to withhold many security patches from the two previous Mac operating systems. If you’re still running Monterey or Big Sur on a Mac that’s compatible with Ventura—or even a Mac that isn’t officially compatible, but can be upgraded anyway—it’s best to upgrade to Ventura to significantly improve your Mac’s security. But in the mean time, you can get this week’s updates by going to System Preferences > Software Update.

iOS 16.5.1 and iPadOS 16.5.1

Available for:
iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Improvements and bug fixes:

  • Fixes an issue that prevents charging with the Lightning to USB 3 Camera Adapter

Security-related fixes and updates:
As of this moment, it appears that Apple addressed the same two vulnerabilities for iOS 16.5.1 and iPadOS 16.5.1 that it addressed in macOS Ventura. However, Apple sometimes updates past advisories with additional disclosures. See Apple’s page about the security content of iOS 16.5.1 and iPadOS 16.5.1.

To get the latest update, you can connect your device to your Mac to back it up and install the update. Alternatively, you can download these updates over the air (i.e. directly onto the device) by going to Settings > General > Software Update on your device.

iOS 15.7.7 and iPadOS 15.7.7

Available for:
iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)

Both iOS 15.7.7 and iPadOS 15.7.7 include fixes for all three vulnerabilities that Apple patched this week.

Notably, the patch for one of the WebKit vulnerabilities (CVE-2023-32435)—which was apparently used in an exploit chain to infect iPhones in Russia—was only released for the 15.7.7 operating systems. Presumably, this means that the vulnerability either does not exist, or is not exploitable, in iOS 16.5.1 or the other operating systems Apple patched this week.

Kaspersky researchers noted that Operation Triangulation vulnerabilities were successfully exploited up through and including iOS 15.7, while Apple’s wording implies that the two Kaspersky-reported vulnerabilities affect versions of iOS older than 15.7.

Apple sometimes updates past advisories with additional disclosures. See Apple’s page about the security content of iOS 15.7.7 and iPadOS 15.7.7.

To get this update, you can connect your device to your Mac to back it up and install the update. Alternatively, you can download these updates over the air by going to Settings > General > Software Update on your device.

watchOS 9.5.2

Available for:
Apple Watch Series 4 and later

As of this moment, it appears that this week’s watchOS update a fix for a single vulnerability: CVE-2023-32434, the kernel vulnerability exploited by Operation Triangulation.

Apple’s watchOS advisories for this week do not mention CVE-2023-32439, the WebKit vulnerability that was patched for all supported versions of macOS, iOS, and iPadOS. Presumably this means that watchOS was not impacted by this particular WebKit issue.

Astute readers may note that we haven’t previously covered watchOS 9.5.1. That update was released by itself (not alongside any other OS updates) on May 30. It addressed “improvements and bug fixes,” and Apple indicated at the time that it “has no published CVE entries.” This likely means that watchOS 9.5.1 did not include any security updates—but it could theoretically mean that Apple quietly fixed minor security issues that did not get a CVE number assigned.

Apple sometimes updates past advisories with additional disclosures. See Apple’s page about the security content of watchOS 9.5.2.

To install this update, make sure your iPhone is up to date first, that both your phone and watch are connected to the same Wi-Fi network, and that the watch has at least a 50% charge. Then open the Watch app on your phone and tap General > Software Update.

watchOS 8.8.1 — first security update in 11 months

Available for:
Apple Watch Series 3

Color me shocked—Apple has finally released a watchOS 8 security update, 11 months after the last one. Apple was still selling the Apple Watch Series 3 refurbished until just a few months ago, in March, despite it missing major security patches. For unknown reasons, Apple chose not to release watchOS 9 for this one particular watch model, which put the device in an awkward state of limbo for eight months, while Apple still sold it, knowing it was dangerously vulnerable.

Apple only patched this week’s kernel vulnerability (CVE-2023-32434) in this update, however; not a single other CVE was listed as having been addressed. This means that the Apple Watch Series 3 remains vulnerable to dozens of other vulnerabilities—including other actively exploited vulnerabilities—and is still unsafe to use, in spite of this week’s watchOS 8.8.1 security update.

The “8.8.1” version numbering is very odd, considering that there was never a watchOS 8.8 released to the public. Perhaps Apple had intended to release a previous update but never got around to it. In any case, Apple’s About watchOS 8 Updates page doesn’t mention anything about this update besides that it “provides important security fixes,” and the About the security content of watchOS 8.8.1 page lists only the one kernel vulnerability that was fixed.

I share more thoughts on this in our separate article, Apple gives Watch Series 3 users false sense of security, patching 1 vulnerability.

Apple gives Watch Series 3 users false sense of security, patching 1 vulnerability

No tvOS, audioOS, Studio Display updates

Apple did not release any corresponding updates to address vulnerabilities in tvOS or audioOS (the Apple TV and HomePod operating systems, respectively) or Studio Display Firmware this week. Presumably this either means that these operating systems and devices were unaffected, or perhaps that they may be less likely to be exploited (in which case they could theoretically get patches at a later date).

Key takeaways

If you get nothing else out of this article, here are some key points:

  • Apple released urgent security updates this week; check for and install updates on your Macs, iPhones, iPads, and Apple Watches as soon as possible.
  • At this point, macOS Ventura, iOS 16, and iPadOS 16 are the only safe operating systems to use on Macs, iPhones, and iPads, respectively.
    • If you have a Mac for which Apple doesn’t officially support Ventura, you may be able to upgrade it anyway.
    • If you have an older iPhone or iPad that isn’t compatible with 16.x, or any iPod touch, buying a new device is the safest option.

It is advisable to update to the latest operating systems as soon as you reasonably can, especially when Apple either releases a Rapid Security Response or warns that there are “actively exploited” vulnerabilities in the wild. It’s important to get the benefits of new security fixes as quickly as possible to help you stay protected from hackers and malware.

If you have a Mac running macOS Monterey or Big Sur that’s compatible with Ventura, you may wish to update to the current Monterey or Big Sur version for now, and then as soon as practical, upgrade to macOS Ventura. Here’s why. Generally speaking, it is best to upgrade to the latest Apple OS versions quickly for security reasons. For maximum security, one cannot rely on any minimal security patches Apple may release for previous OS versions.

Apple’s Poor Patching Policies Potentially Make Users’ Security and Privacy Precarious

Whenever you’re preparing to update iOS, iPadOS, or macOS, always back up your data before installing any updates. This gives you a restore point if something does not go as planned.

See also our article on how to back up your iPhone or iPad to iCloud and to your Mac.

Should you back up your iPhone to iCloud or your Mac? Here’s how to do both

See also our related article on how to check your macOS backups to ensure they work correctly.

How to Verify Your Backups are Working Properly

How can I learn more?

Last week on episode 296 of the Intego Mac Podcast, we talked about the implausibility of Apple colluding with the U.S. government to hack a U.S. adversary. This week, we discussed the new Apple patches immediately as they were released, while recording episode 297.

Each week on the Intego Mac Podcast, Intego’s Mac security experts discuss the latest Apple news, including security and privacy stories, and offer practical advice on getting the most out of your Apple devices. Be sure to follow the podcast to make sure you don’t miss any episodes.

You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: Follow Intego on Twitter Follow Intego on Facebook Follow Intego on YouTube Follow Intego on Pinterest Follow Intego on LinkedIn Follow Intego on Instagram Follow the Intego Mac Podcast on Apple Podcasts

About Joshua Long

Joshua Long (@theJoshMeister), Intego's Chief Security Analyst, is a renowned security researcher and writer, and an award-winning public speaker. Josh has a master's degree in IT concentrating in Internet Security and has taken doctorate-level coursework in Information Security. Apple has publicly acknowledged Josh for discovering an Apple ID authentication vulnerability. Josh has conducted cybersecurity research for more than 25 years, which has often been featured by major news outlets worldwide. Look for more of Josh's articles at security.thejoshmeister.com and follow him on X/Twitter, LinkedIn, and Mastodon. View all posts by Joshua Long →