Home Apple Apple discloses 2 new zero-days exploited to attack iPhones, Macs

Apple discloses 2 new zero-days exploited to attack iPhones, Macs

by Kyle Meranda

Apple has recently released emergency security updates to address two zero-day vulnerabilities that have been exploited in attacks targeting iPhone and Mac users. These updates bring the total number of exploited zero-days patched by Apple since the beginning of the year to 13.

The vulnerabilities, which were found in the Image I/O and Wallet frameworks, have been tracked as CVE-2023-41064 and CVE-2023-41061. CVE-2023-41064 is a buffer overflow weakness that can be triggered when processing maliciously crafted images, potentially leading to arbitrary code execution on unpatched devices. On the other hand, CVE-2023-41061 is a validation issue that can be exploited using a malicious attachment, also enabling arbitrary code execution on targeted devices.

Citizen Lab, a security research organization, revealed that these two vulnerabilities were actively abused as part of a zero-click iMessage exploit chain called BLASTPASS. This exploit chain was used to deploy NSO Group’s Pegasus mercenary spyware onto fully-patched iPhones. The spyware was delivered through PassKit attachments containing malicious images.

To address these vulnerabilities, Apple has released updates for macOS Ventura 13.5.2, iOS 16.6.1, iPadOS 16.6.1, and watchOS 9.6.2. These updates include improved logic and memory handling to mitigate the risks associated with these zero-day vulnerabilities.

The impact of these vulnerabilities is significant, as they affect a wide range of devices, including iPhone 8 and later models, various iPad models, Macs running macOS Ventura, and Apple Watch Series 4 and later.

This is not the first time Apple has had to address exploited zero-day vulnerabilities this year. Since the beginning of 2023, the company has already dealt with 13 different zero-day bugs, impacting devices running iOS, macOS, iPadOS, and watchOS.

Two months ago, in July, Apple released out-of-band Rapid Security Response (RSR) updates to fix a vulnerability (CVE-2023-37450) that affected fully patched iPhones, Macs, and iPads. However, these updates caused some issues with web browsing, prompting Apple to release new and fixed versions of the patches.

The continuous discovery and patching of zero-day vulnerabilities highlight the importance of regular software updates and maintaining the security of devices. Users should promptly install these updates to protect themselves from potential security risks.

You may also like