Apple issues emergency patch to address alleged spyware vulnerability

The fix follows allegations from a Russian intelligence service that an intentional flaw in iPhones provided a gateway for American espionage.
(Justin Sullivan/Getty Images)

Apple issued a security update on Wednesday for all its operating systems to patch dangerous vulnerabilities that could allow attackers to take over someone’s entire device.

The vulnerabilities in question, first revealed on June 1, appeared to have led the main Russian intelligence agency to make unusually public claims that Apple intentionally left the flaws in its iOS so the National Security Agency and other U.S. entities could compromise “thousands” of iPhones in Russia. Apple has denied those claims.

The charges from the Federal Security Service, or FSB, came the same day that researchers with cybersecurity firm Kaspersky published a report detailing what they said was an “ongoing” zero-click iMessage exploit campaign dubbed “Operation Triangulation” targeting iOS that allowed attackers to run code on phones with root privileges, among other capabilities. Kaspersky published an additional analysis Wednesday, saying that after roughly six months of collecting and analyzing the data, “we have finished analyzing the spyware implant and are ready to share the details.”

Researchers with the cybersecurity firm that’s headquartered in Moscow said in the June 1 report they found the exploit “while monitoring the network traffic of our own corporate Wi-Fi network dedicated for mobile devices.”


Both Kaspersky analyses did not attribute the operators behind the campaign. A Kaspersky spokesperson told CyberScoop on Wednesday that the company had “nothing to provide” on attribution or in response to the FSB using Kaspersky’s work to backstop its claims of Apple collusion with the NSA and “American intelligence services.”

Kaspersky researchers “proactively collaborated with the Apple Security Research team by sharing information about the attack and reporting the exploits,” the spokesperson told CyberScoop in an email. “As of now, Apple has publicly confirmed them as zero-day vulnerabilities that received the designation of CVE-2023-32434 and CVE-2023-32435 respectively, and announced the patching of those as part of the Security Updates release on June 21, 2023. We would like to thank Apple for taking action promptly to address and resolve the identified issues to keep users safe.”

Apple said in its security update that the fixes would address an app that “may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7.”

In response to the June 1 claims from the FSB, an Apple spokesperson told CyberScoop that “[we] have never worked with any government to insert a backdoor into any Apple product and never will.”

AJ Vicens

Written by AJ Vicens

AJ covers nation-state threats and cybercrime. He was previously a reporter at Mother Jones. Get in touch via Signal/WhatsApp: (810-206-9411).

Latest Podcasts