Apple Patches Three Zero-Day Flaws Reportedly Used To Target iPhones

The company says that it’s ‘aware’ of reports that the vulnerabilities ‘may have been actively exploited.’

Apple released fixes Wednesday for three zero-day vulnerabilities affecting its products that have reportedly been exploited by threat actors to target iPhone users through the iMessage messaging app.

For each of the three vulnerabilities, Apple said in a security advisory that it is “aware of a report that this issue may have been actively exploited.”

[Related: CISA Urges Deployment Of Patches For Three Apple Device Vulnerabilities]

Two of the vulnerabilities were discovered by researchers at cybersecurity vendor Kaspersky, who earlier on Wednesday posted details about a spyware implant that utilizes a vulnerability affecting iOS. The “TriangleDB” implant is “deployed after the attackers obtain root privileges on the target iOS device by exploiting a kernel vulnerability,” the three Kaspersky researchers wrote in a post.

Apple released patches for the kernel vulnerability (tracked at CVE-2023-32434) as well as two WebKit vulnerabilities — CVE-2023-32435, which was discovered by the Kaspersky researchers, and a third flaw (CVE-2023-32439) found by an anonymous researcher.

The vulnerabilities affect many models of iPhone, iPad, Mac and Apple Watch devices.

The new operating system versions released by Apple to address the issues in iPhones and iPads are iOS 16.5.1 and iPadOS 16.5.1 for newer devices, along with iOS 15.7.7 and iPadOS 15.7.7 for older devices. For Macs, Apple released macOS Ventura 13.4.1, macOS Monterey 12.6.7 and macOS Big Sur 11.7.8.