Apple Releases Emergency Security Patches
Patches Released in Response To New Zero-Day Attacks
Overt Operator
September 22, 2023
On Thursday, September 21, Apple took swift action in response to the exploitation of two previously unknown vulnerabilities in its operating systems. These vulnerabilities were utilized to deploy the notorious Pegasus spyware, often employed for mercenary purposes.
In response, Apple urgently released security patches for iOS, iPadOS, macOS, and watchOS.
The first issue identified is CVE-2023-41061, which involves a validation problem within Wallet. If a maliciously crafted attachment is processed, it has the potential to execute arbitrary code. The second vulnerability, CVE-2023-41064, relates to a buffer overflow problem within the Image I/O component. Dealing with a maliciously crafted image could lead to arbitrary code execution.
Citizen Lab at the University of Toronto's Munk School discovered CVE-2023-41064. CVE-2023-41061, on the other hand, was internally detected by Apple, with Citizen Lab providing "assistance" during the process.
Apple's recent updates address these vulnerabilities on the following devices and operating systems: iOS 16.6.1 and iPadOS 16.6.1, compatible with iPhone 8 and newer models, all versions of iPad Pro, iPad Air starting from the 3rd generation, iPad from the 5th generation onwards, and iPad mini from the 5th generation onwards. macOS Ventura 13.5.2 applies to macOS devices running macOS Ventura, while WatchOS 9.6.2 is compatible with Apple Watch Series 4 and subsequent models.
Citizen Lab disclosed in a separate advisory that the vulnerabilities mentioned above have been exploited in a zero-click iMessage exploit chain called BLASTPASS. This chain allows the deployment of Pegasus on iPhones running fully updated iOS 16.6.
Due to the ongoing exploitation, detailed technical information about these vulnerabilities has not been publicly disclosed. However, it has been reported that the exploit can bypass Apple's BlastDoor sandbox framework, which was designed to counteract zero-click attacks.
Kaspersky, a leading Russian cybersecurity firm, sounded the alarm about an ongoing attack campaign utilizing a zero-click, zero-day iMessage vulnerability.
Simultaneously, reports about these zero-day vulnerabilities coincide with indications that the Chinese government may have issued a directive banning central and state government officials from using iPhones and other foreign brand devices for official work.
This move is perceived as an effort to reduce dependence on international technology, particularly amidst an intensifying trade dispute between China and the United States.
Apple's prompt response to these vulnerabilities illustrates its commitment to ensuring the security and privacy of its users. Users must update their devices to the latest software versions to protect themselves from potential exploitation. With the rapid advancements in cyber threats, staying vigilant and maintaining up-to-date software is more important than ever.