The Information Highway

The Information Highway

Font size: +
2 minutes reading time (390 words)

Apple discloses 2 new zero-days exploited to attack iPhones, Macs

Apple released emergency security updates to fix two new zero-day vulnerabilities exploited in attacks targeting iPhone and Mac users, for a total of 13 exploited zero-days patched since the start of the year. 

"Apple is aware of a report that this issue may have been actively exploited," the company revealed in security advisories describing the security flaws.

The bugs were found in the Image I/O and Wallet frameworks and are tracked as CVE-2023-41064 (discovered by Citizen Lab security researchers) and CVE-2023-41061 (discovered by Apple). 

Citizen Lab also revealed today that the CVE-2023-41064 and CVE-2023-41061 bugs were actively abused as part of as part of a zero-click iMessage exploit chain named BLASTPASS that was used to deploy NSO Group's Pegasus mercenary spyware onto fully-patched iPhones (running iOS (16.6) via PassKit attachments containing malicious images.

CVE-2023-41064 is a buffer overflow weakness that gets triggered when processing maliciously crafted images, and it can lead to arbitrary code execution on unpatched devices.

CVE-2023-41061 is a validation issue that can be exploited using a malicious attachment to also gain arbitrary code execution on targeted devices.

Apple fixed the zero-days in macOS Ventura 13.5.2, iOS 16.6.1, iPadOS 16.6.1, and watchOS 9.6.2 with improved logic and memory handling.

The list of impacted devices is rather extensive, seeing that the two security bugs affect both older and newer models, and it includes:

  • iPhone 8 and later
  • iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later
  • Macs running macOS Ventura
  • Apple Watch Series 4 and later

13 exploited zero-days fixed this year

Since the start of the year, Apple has patched 13 zero-day bugs exploited in attacks against devices running iOS, macOS, iPadOS, and watchOS.

Two months ago, in July, Apple pushed out-of-band Rapid Security Response (RSR) updates to address a vulnerability (CVE-2023-37450) impacting fully patched iPhones, Macs, and iPads.

It later confirmed that the RSR updates partially broke web browsing on patched devices and released new and fixed versions of the buggy patches two days later.

Before today, Apple also addressed:

  • two zero-days (CVE-2023-37450 and CVE-2023-38606) in July
  • three zero-days (CVE-2023-32434, CVE-2023-32435, and CVE-2023-32439) in June
  • three more zero-days (CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373) in May
  • two zero-days (CVE-2023-28206 and CVE-2023-28205) in April
  • and another WebKit zero-day (CVE-2023-23529) in February
Cisco warns of VPN zero-day exploited by ransomwar...
Windows cryptomining attacks target graphic design...

Related Posts

 

Comments

No comments made yet. Be the first to submit a comment
Tuesday, 05 November 2024

Captcha Image

Top Breaches Of 2023

Customers Affected In T-Mobile Breach
Accounts Affected In MOVEit Breach
Customers Affected In MCNA Insurance Data Breach
Individuals Affected In PharMerica Data Breach
Users Affected In ChatGPT Major Data Breach
*Founder Shield End of Year 2023