Apple is shipping this recent “Rapid Response” spyware patch to ev

Two weeks ago, we urged Apple users with recent hardware to grab the company’s second Rapid Response patch.

As we pointed out at the time, this was an emergency patch to block a web browsing security flaw that had apparently been used in real-world spyware attacks:

Component: WebKit

Impact: Processing web content may lead 
        to arbitrary code execution. 
        Apple is aware of a report that 
        this issue may have been 
        actively exploited.

Description: The issue was addressed 
             with improved checks.

CVE-2023-37450: an anonymous researcher

The next best thing to no-click attacks

Technically, code execution bugs that can be triggered by causing you to view a webpage containing booby-trapped content do not count as so-called zero-click attacks.

A true no-click attack is one where cybercriminals can take control of your device just because it’s turned on and connected to a network.

Well-known examples include the infamous Code Red and Slammer worms of the early 2000s that spread globally within hours of finding new victim computers on their own, or the legendary Morris Worm of 1988 that distributed worldwide almost as soon as its creator triggered it.

Morris, author of the eponymous worm, apparently intended to limit the side effects of his experiment by infecting each potential victim only once. But it added code that randomly and occasionally re-infected existing victims as an insurance policy against blocked or fake versions of the worm that might otherwise trick the worm into avoiding computers that seemed infectious but weren’t. Morris decided to deliberately re-infect the computers 1/7 of the time, but it turned out to be far too aggressive. So the worm quickly overwhelmed the internet infecting victims again and again until they did nothing but attack everyone.

But one watch and get pwned attack, also known as installation in carwhere just looking at a web page can invisibly implant malware, even if you don’t click any additional buttons or approve any pop-ups, is the best thing for an attacker to do.

After all, your browser isn’t supposed to download and run unauthorized programs unless and until you explicitly give it permission.

As you can imagine, crooks love to combine a look-and-get-pwned exploit with a second kernel-level code execution bug to take full control of your computer or phone.

Browser-based exploits often give attackers limited results, such as malware that can only spy on your browsing (as bad as that is on their own), or that won’t continue to work after you close your browser or restart your device.

But if the malware attackers execute through an initial browser hole is specifically coded to exploit the second bug in the chain, they immediately evade any throttling or sandboxing implemented in the browser app by taking over your entire device at the operating system level.

Typically, this means they can spy on every app you run, and even the operating system itself, as well as install their malware as part of your devices’ official startup routine, invisibly and automatically surviving any precautionary reboots you might perform.

More iPhone malware holes in the wild

Apple has now rolled out full system upgrades, with new version numbers, for every operating system version the company supports.

After this latest update, you should see the following version numbers as listed in the Apple Security Bulletins listed below:

In addition to including a permanent fix for the CVE-2023-37450 exploit mentioned above (thereby fixing those who skipped the Quick Response or had older devices that were not eligible), these updates also address this listed bug:

Component: Kernel

Impact: An app may be able to modify sensitive 
        kernel state. Apple is aware of a 
        report that this issue may have been 
        actively exploited against versions of 
        iOS released before iOS 15.7.1. 

Description: This issue was addressed with 
             improved state management.

CVE-2023-38606: Valentin Pashkov, 
                Mikhail Vinogradov, 
                Georgy Kucherin (@kucher1n), 
                Leonid Bezvershenko (@bzvr_), 
                and Boris Larin (@oct0xor) 
                of Kaspersky

As in our article on Apple’s previous system-level updates in late June 2023, the two holes in the wild that made the list this time dealt with a WebKit bug and a kernel flaw, with the WebKit-level bug again attributed to an anonymous researcher and the kernel-level bug once again attributed to Russian antivirus Kaspersky.

So let’s assume that these patches related to the so-called Triangulation Trojan malware, first reported by Kasperky in early June 2023, after the company discovered that iPhones belonging to some of its own employees had been actively infected with spyware:

What to do?

Again, we urge you to make sure your Apple devices have downloaded (and then installed!) these updates as soon as possible.

Although we always urge you to Correct early/correct oftenthe fixes for these upgrades aren’t just there to fill in theoretical holes.

Here, you close cybersecurity loopholes that attackers already know how to exploit.

Even though crooks have only used them so far in a limited number of successful intrusions against older iPhones

why stay behind when you can jump ahead?

And if protection against the Triangulation Trojan malware isn’t enough to convince you, remember that these updates also fix many theoretical attacks that Apple and other Good Guys have proactively found, including code execution holes at the kernel level, privilege escalation bugs, and data leakage flaws.

As always, see you at Settings > General > Software update to check if you have correctly received and installed this emergency patch, or to jump to the front of the queue and get it immediately if you haven’t.

(Note. On older Macs, check for updates using About This Mac > Software update instead.)