Apple iOS Update to Address Vulnerabilities in Older Versions of Apple Products

At Audio Advice, we have designed and installed thousands of smart home tech that can be controlled by your very own Apple iPhone or even an Apple iPad. An iPad can be a key fixture in your smart home, whether it’s in a custom casing on your wall, or used by your bedside table to control your shades, lights, TV, and more. If you’re a custom integrator or a homeowner, the latest Apple iOS update is one you should update to immediately because it has fixed several security flaws that are being exploited in spyware attacks.

Credit is given to Kaspersky researchers for uncovering two iOS vulnerabilities, which have now been patched. Kaspersky, a cybersecurity company based in Russia with a significant presence in the United States, disclosed these vulnerabilities recently. They revealed that an attacker could compromise devices through the iMessage service by sending a malicious attachment, without requiring any action from the user.

As per Kaspersky's findings, the message activates a vulnerability that allows for the execution of code. This code, present within the exploit, proceeds to download multiple subsequent stages from a command-and-control server. These stages consist of additional exploits designed for privilege escalation.

Once the exploitation is successful, a final payload is fetched from the C&C server, which Kaspersky refers to as a "fully featured APT platform." Following this, both the initial message and the attachment containing the exploit are deleted.

Kapersky has said the spyware has allowed for:

  • Interacting with the filesystem (creation, modification, exfiltration and removal of files);
  • Interacting with processes (listing and terminating them);
  • Dumping the victim’s keychain items, which can be useful for harvesting victim credentials;
  • Monitoring the victim’s geolocation;
  • Running additional modules, which are Mach-O executables loaded by the implant. These executables are reflectively loaded, with their binaries stored only in memory.

 

To address these vulnerabilities affecting older versions of Apple products, Apple has released two distinct updates:

  • iOS and iPadOS 15.7.7, targeting the following devices:
    • iPhone 6s (all models)
    • iPhone 7 (all models)
    • iPhone SE (1st generation)
    • iPad Air 2
    • iPad mini (4th generation)
    • iPod touch (7th generation)
  • iOS 16.5.1 and iPadOS 16.5.1, intended for the following devices:
    • iPhone 8 and later
    • iPad Pro (all models)
    • iPad Air 3rd generation and later
    • iPad 5th generation and later
    • iPad mini 5th generation and later

The vulnerabilities disclosed by Kaspersky are tracked as CVE-2023-32434 and CVE-2023-32435. Additionally, the updates address a WebKit bug, known as CVE-2023-32439, which Apple attributes to an anonymous researcher. According to Apple, all three vulnerabilities have been exploited in real-world attacks.

Apart from iOS and iPadOS, Apple has also released fixes for these bugs in specific versions of watchOS, macOS, and Safari. For more details, you can refer to Apple's comprehensive list of security updates.