CVE-2023-32434, CVE-2023-32435, CVE-2023-32439: Apple’s Triple Threat Zero-Day Vulnerabilities
Recently, Apple found itself in the crosshairs of a sophisticated spyware attack, aptly named ‘Triangulation.’ The three vulnerabilities in question, exploited to deploy the Triangulation spyware via iMessage’s zero-click exploits, caught the tech world’s attention due to their level of sophistication and potential for damage. Apple, in its characteristic approach, was quick to address these concerns, acknowledging that versions of iOS predating iOS 15.7 could have been subjected to active exploitation.
The Triple Threat Zero-Day Vulnerabilities: CVE-2023-32434, CVE-2023-32435, and CVE-2023-32439
Two of these vulnerabilities, pertaining to the Kernel and WebKit, were tracked under the codes CVE-2023-32434 and CVE-2023-32435. These flaws were promptly identified and reported by the team of Georgy Kucherin, Leonid Bezvershenko, and Boris Larin, acclaimed security researchers at Kaspersky.
The third security vulnerability is no less significant. Identified as CVE-2023-32439, it was unearthed by an anonymous researcher. This vulnerability resided in WebKit and was of particular concern as it could potentially grant an attacker the power to execute arbitrary code on unpatched devices by exploiting a type confusion issue.
Remedial Steps: Improved Checks, Input Validation, and State Management
Apple’s solution came in the form of patches rolled out in the recent macOS updates (Ventura 13.4.1, Monterey 12.6.7, and Big Sur 11.7.8), alongside iOS 16.5.1, iOS 15.7.7, iPadOS 16.5.1, iPadOS 15.7.7, watchOS 9.5.2, and watchOS 8.8.1. The company’s response employed a combination of advanced techniques – improved checks, rigorous input validation, and meticulous state management – aimed at bolstering the security apparatus.
The Scope of Impact: A Broad Spectrum of Devices
What underscores the gravity of these vulnerabilities is their wide range of impact, with both older and newer models at risk. The list of affected devices extends from iPhone 8 to the latest, iPad Pro, iPad Air (3rd generation and later), iPad (5th generation and later), and iPad mini (5th generation and later). The iPhone 6s, iPhone 7, iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation) were not immune to these exploits.
On the Mac front, devices running macOS Big Sur, Monterey, and Ventura were at risk, as were Apple Watch Series 3 to Series 7 and SE models.
