Apple 0-Day Vulnerabilities – iOS/iPadOS/watchOS/macOS – CVE-2023-41061, CVE-2023-41064
iOS/iPadOS/watchOS/macOS 0-Day Vulnerabilities – Patch Now
8th September 2023
Summary
Apple has released emergency security patches for two 0-day vulnerabilities across its devices. Active exploitation of these vulnerabilities has been identified and used in installation of Pegasus spyware.
- CVE-2023-41061 (CVSS unavailable) is a validation issue in Wallet that could result in arbitrary code execution when handling a maliciously crafted attachment.
- CVE-2023-41064 (CVSS unavailable) is a buffer overflow issue in the Image I/O component that could result in arbitrary code execution when processing a maliciously crafted image.
The University of Toronto Monk School’s Citizen Lab announced that the two vulnerabilities have been weaponised as a zero-click iMessage exploit chain named BLASTPASS to deploy Pegasus.
This is the 13th 0-day vulnerability fixed by Apple in 2023.
Spotit recommends that users and IT administrators of all affected devices upgrade to the latest OS version immediately.
Affected Products
- iOS and iPadOS 16.6 and earlier – iPhone 8 and later, iPad Pro (all models), iPad Air 3rd gen and later, iPad 5th gen and later, and iPad Mini 5th gen and later.
- macOS 13.5.1 and earlier – macOS devices running macOS Ventura
- watchOS 9.6.1 and earlier – Apple Watch Series 4 and later