Apple issues updates for MacOS, iOS and fixes two actively exploited vulnerabilities
Take action: Time to patch your Apple devices, quickly. It takes a whole 30 minutes to do the patch, so click the update button and have a coffee.
Learn More
Apple has issued security updates to address two newly discovered zero-day vulnerabilities that were exploited in attacks targeting both iPhone and Mac users.
Apple acknowledged that these vulnerabilities may have already been exploited by hackers. The two vulnerabilities were identified in the Image I/O and Wallet frameworks, designated as CVE-2023-41064 (discovered by Citizen Lab security researchers) and CVE-2023-41061 (discovered by Apple).
Citizen Lab additionally disclosed that these vulnerabilities, CVE-2023-41064 and CVE-2023-41061, were actively utilized in a zero-click iMessage exploit chain known as "BLASTPASS." This chain was employed to deploy the NSO Group's Pegasus mercenary spyware on fully-patched iPhones running iOS 16.6 via attachments containing malicious images.
- CVE-2023-41064 is categorized as a buffer overflow weakness, triggered when processing maliciously crafted images, and it can potentially lead to arbitrary code execution on unpatched devices.
- CVE-2023-41061 involves a validation issue that can be exploited through a malicious attachment, also leading to arbitrary code execution on targeted devices.
Apple promptly addressed these zero-day vulnerabilities in macOS Ventura 13.5.2, iOS 16.6.1, iPadOS 16.6.1, and watchOS 9.6.2. The impact of these vulnerabilities extends to a wide range of devices, encompassing older and newer models, including iPhone 8 and later, various iPad models, Macs running macOS Ventura, and Apple Watch Series 4 and later.
