by Joe Spanilo, Security Specialist
Apple has released emergency security updates for Mac, iPhone, iPad, and Apple Watch devices to fix two critical zero-day vulnerabilities. These vulnerabilities have been exploited in the wild, meaning they’re actively impacting users. The flaws, known as CVE2023-41064 and CVE 2023-41061, could allow threat actors to execute arbitrary code on vulnerable devices by sending maliciously crafted images or attachments.
What do the vulnerabilities do if exploited?
These vulnerabilities can each lead to arbitrary code execution, meaning the user doesn’t have to take any action in order to be impacted by the exploits. That’s what makes them so dangerous, and why remediating these issues by applying the recommended updates is critical.
- CVE2023-41064 is a buffer overflow issue in the ImageIO framework, which is used to handle image data in macOS Ventura and iOS/ iPadOS 16.6.1. According to Apple, processing a maliciously crafted image sent by a threat actor may lead to arbitrary code execution.
- CVE2023-41061 is a validation issue affecting Apple Wallet that allows an attacker to craft a malicious attachment that can result in arbitrary code execution.
Citizen Lab, an organization that focuses on information technologies and human rights, discovered CVE 2023-41064 and has pointed out that both vulnerabilities were used in the exploit chain known as BLASTPASS.
BLASTPASS is used to deliver the infamous Pegasus spyware which was developed by NSO Group. Pegasus has been routinely used by governments to surveil journalists, lawyers, human rights activists, and political dissidents. BLASTPASS allows the spyware to be delivered to Apple devices without any interaction from the victim. This makes it essential to proactively take steps to protect your device.
ADNET’s Recommendation
Apple has released security updates to address both zero-day vulnerabilities. Due to the severity of these vulnerabilities, we strongly recommended updating your devices as soon as possible to prevent a potential attack.
The updates are available for the following devices:
- iPhone 8 and later (update to iOS 16.6.1)
- iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later (update to iPadOS 16.6.1)
- Macs running macOS Ventura (update to macOS Ventura 13.5.2)
- Apple Watch Series 4 and later (update to watchOS 9.6.2)
ADNET clients with eligible Managed IT services will have their covered devices patched, however it’s important to remember that this only applies to your covered business devices (such as Mac laptops). If you have any personal devices, such as iPhones and Apple Watches, you’ll need to apply the recommended system updates manually.
Here’s more information from Apple on the steps you can take to protect your devices. Please reach out to your Engagement Manager or ADNET support if you need help applying these updates.