Apple has rolled out security updates to iOS, iPadOS, macOS, tvOS, watchOS, and Safari to address several security vulnerabilities, including one actively exploited zero-day bug in the wild.
Tracked as CVE-2023-38606, the shortcoming resides in the kernel and permits a malicious app to modify sensitive kernel state potentially. The company said it was addressed with improved state management.
“Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7.1,” the tech giant noted in its advisory.
It’s worth noting that CVE-2023-38606 is the fourth security vulnerability discovered in connection with Operation Triangulation, a sophisticated mobile cyber espionage campaign targeting iOS devices since 2019 using a zero-click exploit chain. The other two zero-days, CVE-2023-32434 and CVE-2023-32435, were patched by Apple last month.
images from Hacker News