The vulnerability affects the kernel, which controls the hardware of the device, and can allow bad apps to change its state. It is being tracked as CVE-2023-38606.
The zero day is the third vulnerability in Apple devices as part of operation triangulation, a cyberespionage campaign targeting iOS devices since 2019 which require no user clicks to become active.
Researchers at Kaspersky are said to have discovered the operation and reported this latest flaw. It affects older version of iOS, with Apple stating that it, “is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7.1.”
Apple’s fix entailed improving the state management of the device.
Kaspersky lead researcher Boris Larin claims that this flaw is used to deploy the Triangulation spyware via an exploit in iMessage.
The new security updates are available for iOS, iPadOS, macOS (Big Sur, Monterey, and Ventura), tvOS, watchOS devices, as well as the Safari browser.
Since the start of the year, Apple has patched a total of 11 zero days that have been exploited by attackers, affecting Macs, iPads and iPhones. It also recently released a fix for its WebKit where a vulnerability could have lead to arbitrary code execution.
At the end of last year, the company also released its new Rapid Security Response feature, designed to get patches out to customers quicker, and used it for the first time in May this year to patch Macs, iPads and iPhones.