Apple Discloses 2 New Zero-Days Exploited to Attack iPhones, Macs

Cyber Security Threat Summary:
Yesterday, Apple issued emergency security updates to address two zero-day flaws that were exploited in attacks targeting iPhone and Mac users. The vulnerabilities are being tracked as CVE-2023-41064 (discovered by Citizen Lab security researchers) and CVE-2023-41061 (discovered by Apple) and were found in the Image I/O and Wallet frameworks. CVE-2023-41064 relates to a validation issue in Wallet which can be exploited to execute arbitrary code via maliciously crafted attachments. CVE-2023-41064 on the other hand relates to a buffer overflow weakness in the Image I/O component and gets triggered when handling maliciously crafted images. Successful exploitation of this flaw could also enable threat actors to gain arbitrary code executed on targeted devices.

CVE-2023-41064 and CVE-2023-41061 impact:

  • iPhone 8 and later
  • iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later
  • Macs running macOS Ventura
  • Apple Watch Series 4 and later
The flaws have been addressed in macOS Ventura 13.5.2, iOS 16.6.1, iPadOS 16.6.1, and watchOS 9.6.2 with improved logic and memory handling.

Security Officer Comments:
According to a separate alert from Citizen Lab Security researchers, the flaws were abused as part of a zero-click iMessage exploit chain dubbed BLASTPASS to deploy Pegasus spyware on iPhones running iOS 16.6. The exploit involved the use of PassKit attachments containing malicious images sent from an attacker’s iMessage account to the victim, who researchers say was an individual employed by a Washington DC-based civil society organization with international offices. No further details regarding the attacks were released. Citizen Lab expects to publish a more detailed report of the exploit chain in the near future after more users have had time to apply the security updates.

Suggested Correction(s):
Users should apply the updates released by Apple as soon as possible to prevent potential exploitation attempts.