All attention might be on iOS 17 and macOS Sonoma, but Apple hasn’t stopped working on its current crop of operating systems. And if you’re not running the betas, you need to know that Apple just shipped a slew of updates to fix some critical security holes.

In all, Apple pushed 10 updates on Wednesday: iOS 16.5.1 and iPadOS 16.5.1; iOS 15.7.7 and iPadOS 15.7.7; macOS Ventura 13.4.1, macOS Monterey 12.6.7, and macOS Big Sur 11.7.8; Safari 16.5.1; and watchOS 9.5.2 and watchOS 8.8.1. That covers more than a decade of devices going back to 2013 and includes the iPhone 6s, Apple Watch Series 3, and the original 12-inch MacBook.

All of the OS updates fix the same vulnerability:

Kernel

• Impact: An app may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7.
• Description: An integer overflow was addressed with improved input validation.
• CVE-2023-32434: Georgy Kucherin (@kucher1n), Leonid Bezvershenko (@bzvr_), and Boris Larin (@oct0xor) of Kaspersky

According to The Register and Hacker News, this update fixes the flaw exploited by the “Operation Triangulation” campaign that was able to use iMessage to deliver a “malicious attachment” that then transmitted sensitive information including audio recordings, photos, and geolocation data. The exploit, dubbed TriangleDB is known to have been exploited in versions of iOS earlier than 15.7, but the flaw can be found in all of Apple’s devices.

Additionally, the iOS, iPadOS, and macOS Ventura updates, as well as Safari 16.5.1 for Big Sur and Monterey, include a fix for a WebKit flaw that also may have been exploited:

WebKit

• Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
• Description: A type confusion issue was addressed with improved checks.
  CVE-2023-32439: an anonymous researcher (WebKit Bugzilla: 256567)

None of the updates include any other security patches. However, the iOS 16.5.1 release notes say it includes a fix for an issue that prevents charging with the Lightning to USB 3 Camera Adapter.

iOS, MacOS

All attention might be on iOS 17 and macOS Sonoma, but Apple hasn’t stopped working on its current crop of operating systems. And if you’re not running the betas, you need to know that Apple just shipped a slew of updates to fix some critical security holes.

All told, Apple pushed eight updates on Wednesday: iOS 16.5.1 and iPadOS 16.5.1; iOS 15.7.7 and iPadOS 15.7.7; macOS Ventura 13.4.1, macOS Monterey 12.6.7, and macOS Big Sur 11.7.8; and watchOS 9.5.2 and watchOS 8.8.1. That covers more than a decade of devices going back to 2013 and includes the iPhone 6s, Apple Watch Series 3, and the original 12-inch MacBook. All of the updates fix the same vulnerability:

Kernel

• Impact: An app may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7.
• Description: An integer overflow was addressed with improved input validation.
• CVE-2023-32434: Georgy Kucherin (@kucher1n), Leonid Bezvershenko (@bzvr_), and Boris Larin (@oct0xor) of Kaspersky

According to The Register, this update fixes the flaw exploited by the “Operation Triangulation” campaign that was able to use iMessage to deliver a “malicious attachment” transmitting sensitive information including audio recordings, photos, and geolocation data. The exploit is known to have been exploited in versions of iOS earlier than 15.7, but the flaw can be found in all of Apple’s devices.

Additionally, the iOS, iPadOS, and macOS Ventura updates include a fix for a WebKit flaw that also may have been exploited:

WebKit

• Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
• Description: A type confusion issue was addressed with improved checks.
  CVE-2023-32439: an anonymous researcher (WebKit Bugzilla: 256567)

None of the updates include any other security patches. However, the iOS 16.5.1 release notes say it includes a fix for an issue that prevents charging with the Lightning to USB 3 Camera Adapter.

iOS, MacOS

Apple on Wednesday released macOS Ventura 13.4.1, an update that includes a couple of critical zero-day security patches. The release notes merely state that the update includes “important security fixes and is recommended for all users.”

It’s unclear whether this update includes any other fixes, but Apple has recently promised that a fix would be coming to correct a storage issue with the new Mac Pro. According to the security notes, the update includes the same two security patches as the iOS 16.5.1 update:

While the details for kernel patch include an issue that has been exploited on iPhones, it’s still important to apply the fix in macOS. So it’s a good idea to install the update as soon as possible. For older Macs, there are also updates to macOS Monterey (12.6.7) and macOS Big Sur (11.7.8) that address the kernel issue.

How to install macOS Ventura 13.4.1

An internet connection is required to install the update, and the Mac needs to restart. To install macOS Ventura 13.4.1:

1. Click on the Apple menu and select System Settings.
2. Select General in the left sidebar.
3. Select Software Update in the main section of the window.
4. The Mac will check online for any available updates. If the update is available, a description will appear. Click on the Update Now button to start the installation. The update will download to your Mac and the installer will run. The Mac will need to restart to complete the installation.

Check out our macOS Ventura guide for more information. Also, Apple has similar security patches for the iPhone and iPad.

MacOS

Apple has released a minor operating system update in the form of iOS 16.5.1 and iPadOS 16.5.1. As is typical with an x.x.1 point release, the list of changes is very small. The release notes consist of two sentences:

This update provides important security fixes and is recommended for all users. It also fixes an issue that prevents charging with the Lightning to USB 3 Camera Adapter.

That second bit is good news for people who rely on the Lightning to USB 3 Camera Adapter (and charge while using it), but it’s the first sentence that matters most here. The two security updates in this release are substantial:

Kernel

• Impact: An app may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7.
• Description: An integer overflow was addressed with improved input validation.
• CVE-2023-32434: Georgy Kucherin (@kucher1n), Leonid Bezvershenko (@bzvr_), and Boris Larin (@oct0xor) of Kaspersky

WebKit

• Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
• Description: A type confusion issue was addressed with improved checks.
• CVE-2023-32439: an anonymous researcher

Apple says it is aware of a report that both of these flaws may have been actively exploited (though the kernel one is specifically against versions of iOS released before iOS 15.7). That’s bad news, and you should get the fix right away.

For those with iPhones that are too old to run iOS 16 (older than iPhone 8) or iPadOS 16 (older than 3rd gen iPad Air or 5th gen iPad), Apple has released iOS and iPadOS 15.7.7 to address the same security flaws.

To get the update, open the Settings app, tap General, then Software Update. Then tap Download and Install and follow the prompts.

iOS

Digital security firm Kaspersky has posted information about a recent cyberattack that targeted the iPhones of Kaspersky employees, which were infected with spyware that is part of a campaign the company dubbed, “Operation Triangulation.”

Hackers were able to infect the iPhones using what Kaspersky called an “invisible iMessage with a malicious attachment” that can be activated without user interaction. Once installed, Triangulation was able to gather sensitive information (audio recordings, photos, geolocation, and more) and transmit that data to remote servers. All of this can occur without the user being able to notice.

In a separate, more technical post, Kaspersky points out that “the most recent version of the devices successfully targeted is iOS 15.7.” An Apple representative told Ars Technica that “there’s no indication in Kaspersky’s account that any of the exploits work on iOS versions later than 15.7.” A Kaspersky representative told Ars Technica that one of the iOS vulnerabilities was recorded as CVE-2022-46690 in the CVE.report database, which Apple fixed in iOS 16.2, according to Apple’s security notes.

Kaspersky was able to detect Triangulation with its Unified Monitoring and Analysis Platform. The company also said, “Due to the closed nature of iOS, there are no (and cannot be any) standard operating-system tools for detecting and removing this spyware on infected smartphones.” If an iPhone has had its ability to update iOS disabled, this could be an indirect indicator of a Triangulation infection.

Kaspersky has created a free utility to check an iPhone backup for a Triangulation infection. The company has full instructions on downloading and using its triangle_check utility for Mac, Linux, and Windows. The utility is a Python package, not a typical Mac app, and Mac users will need to use macOS’s Terminal app and install a pip utility in order to use Kaspersky’s tool.

iPhone viruses and malware are rare, but no device is completely invulnerable. Apple urges users to update to the most recent version of IOS that a device can support in order to ensure that the latest security patches are installed. Learn more about iPhones and viruses, and check out our guide on how to remove a virus from and iPhone or iPad.

Antivirus, iOS, Security