Apple on Monday announced major security-focused updates for its primary iOS, macOS, and iPadOS platforms, cautioning that at least one of the vulnerabilities that were rectified had already been exploited.
The tech giant from Cupertino rolled out patches for serious code execution defects in iOS and macOS, including a kernel flaw that was part of an exploit chain revealed by Kaspersky, a Russian anti-malware provider.
Apple stated that the kernel flaw (CVE-2023-38606) impacts iOS, iPadOS, and macOS devices and was actively exploited against iOS versions released before iOS 15.7.1.
“An app might have the ability to modify sensitive kernel state. Apple is aware of a report suggesting that this issue may have been actively exploited,” confirmed the company, attributing the detection of the issue to five different Kaspersky researchers.
This marks the second instance of Apple implementing fixes for software vulnerabilities exploited as part of APT-style attacks on Kaspersky’s corporate network. Kaspersky’s revelation coincided with Russia’s Federal Security Service (FSB) accusing US intelligence agencies of perpetrating a widespread spy campaign targeting thousands of iOS devices owned by domestic subscribers and foreign diplomatic missions.
In total, Apple rectified at least 25 known security bugs affecting iPhones and iPads, including several issues that left mobile devices vulnerable to code execution attacks. The iOS 16.6 update also addresses a WebKit bug, initially fixed in the recent Rapid Security Response rollout.
Apple also corrected security issues in its Safari browser (Safari 16.6), older iPhone and iPad models (iOS 15.7.8 and iPadOS 15.7.8), and macOS Ventura 13.5.