Two weeks ago, we urged Apple users with recent hardware to grab the company’s second-ever Rapid Response patch.
As we pointed out at the time, this was an emergency bug fix to block off a web-browsing security hole that had apparently been used in real-world spyware attacks:
Component: WebKit Impact: Processing web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited. Description: The issue was addressed with improved checks. CVE-2023-37450: an anonymous researcher
The next-best thing to zero-click attacks
Technically, code execution bugs that can be triggered by getting you to look at a web page that contains booby-trapped content don’t count as so-called zero-click attacks.
A true zero-click atack is where cybercriminals can take over your device simply because it’s turned on and connected to a network.
Well-known examples include the infamous Code Red and Slammer worms of the early 2000s that spread globally in just a few hours by finding new victim computers by themselves, or the legendary Morris Worm of 1988 that distributed itself worldwide almost as soon as its creator unleashed it.
Morris, author of the eponymous worm, apparently intended to limit the side-effects of his “experiment” by infecting each potential victim only once. But he added code that randomly and occasionally reinfected existing victims as an insurance policy against crashed or fake versions of the worm that might otherwise trick the worm into avoiding computers that seemed to be infectious but weren’t. Morris decided on purposely reinfecting computers 1/7th of the time, but that turned out to be far too aggressive. The worm therefore quickly overwhelmed the internet by infecting victims them over and over again until they were doing little other than attacking everyone else.
But a look-and-get-pwned attack, also known as a drive-by install, where merely looking at a web page can invisibly implant malware, even though you don’t click any additional buttons or approve any pop-ups, is the next-best thing for an attacker.
After all, your browser isn’t supposed to download and run any unauthorised programs unless and until you explicitly give it permission.
As you can imagine, crooks love to combine a look-and-get-pwned exploit with a second, kernel-level code execution bug to take over your computer or your phone entirely.
Browser-based exploits often give attackers limited results, such as malware that can only spy on your browsing (as bad as that is on its own), or that won’t keep running after your browser exits or your device reboots.
But if the malware the attackers execute via an initial browser hole is specifically coded to exploit the second bug in the chain, then they immediately escape from any limitations or sandboxing implemented in the browser app by taking over your entire device at the operating system level instead.
Typically, that means they can spy on every app you run, and even on the operating system itself, as well as installing their malware as an official part of your device’s startup procedure, thus invisibly and automatically surviving any precautionary reboots you might perform.
More in-the-wild iPhone malware holes
Apple has now pushed out full-sized system upgrades, complete with brand new version numbers, for every supported operating system version that the company supports.
After this latest update, you should see the following version numbers, as documented in the Apple security bulletins listed below:
As well as including a permanent fix for the abovementioned CVE-2023-37450 exploit (thus patching those who skipped the Rapid Response or who had older devices that weren’t eligible), these updates also deal with this listed bug:
Component: Kernel Impact: An app may be able to modify sensitive kernel state. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7.1. Description: This issue was addressed with improved state management. CVE-2023-38606: Valentin Pashkov, Mikhail Vinogradov, Georgy Kucherin (@kucher1n), Leonid Bezvershenko (@bzvr_), and Boris Larin (@oct0xor) of Kaspersky
As in our write-up of Apple’s previous system-level updates at the end of June 2023, the two in-the-wild holes that made the list this time dealt with a WebKit bug and a kernel flaw, with the WebKit-level bug once again attributed to “an anonymous researcher” and the kernel-level bug once again attributed to Russian anti-virus outfit Kaspersky.
We’re therefore assuming that these patches related to the so-called Triangulation Trojan malware, first reported by Kasperky at the start of June 2023, after the company found that iPhones belonging to some of its own staff had been actively infected with spyware:
What to do?
Once again, we urge you to ensure that your Apple devices have downloaded (and then actually installed!) these updates as soon as you can.
Even though we always urge you to Patch early/Patch often, the fixes in these upgrades aren’t just there to close off theoretical holes.
Here, you’re shutting off cybersecurity flaws that attackers already know how to exploit.
Even if the crooks have only used them so far in a limited number of successful intrusions against older iPhones…
…why remain behind when you can jump ahead?
And if guarding against the Triangulation Trojan malware isn’t enough to convince you on its own, don’t forget that these updates also patch against numerous theoretical attacks that Apple and other Good Guys found proactively, including kernel-level code execution holes, elevation-of-privilege bugs, and data leakage flaws.
As always, head to to Settings > General > Software Update to check whether you’ve correctly received and installed this emergency patch, or to jump to the front of the queue and fetch it right away if you haven’t.
(Note. On older Macs, check for updates using About This Mac > Software Update… instead.)