Apple patches two zero-days under attack (CVE-2023-41064, CVE-2023-41061)

Apple has patched two zero-day vulnerabilities (CVE-2023-41064, CVE-2023-41061) exploited to deliver NSO Group’s Pegasus spyware.

“The exploit chain was capable of compromising iPhones running the latest version of iOS (16.6) without any interaction from the victim,” Citizen Lab shared.

“The exploit involved PassKit attachments containing malicious images sent from an attacker iMessage account to the victim.”

About the vulnerabilities

CVE-2023-41064 is a buffer overflow vulnerability in the ImageI/O framework, which allows applications to read and write most image file formats. The vulnerability can be triggered with a maliciously crafted image and can lead to arbitrary code execution.

CVE-2023-41061 is a validation issue in Apple’s Wallet, where users can store payment cards, IDs, event tickets, traveling tickets, etc. The vulnerability can be triggered with a maliciously crafted attachment and can lead to arbitrary code execution.

CVE-2023-41064 was reported by The Citizen Lab at The University of Torontoʼs Munk School, while CVE-2023-41061 was figured out by Apple with their help, probably as they were validating the existence of CVE-2023-41064.

Both have been fixed in the iOS 16 branch. A fix for CVE-2023-41064 is also included in the latest security update for macOS Ventura (13.5.2), and for CVE-2023-41061 in watchOS 9.6.2.

The patches will likely be backported to older iOS, iPadOS and macOS branches soon.

An exploit chain to target high-risk users

The exploit chain – dubbed BLASTPASS by Citizen Lab – was detected when they analyzed a device of an individual employed by a Washington DC-based civil society organization with international offices.

“This latest find shows once again that civil society is targeted by highly sophisticated exploits and mercenary spyware,” they said. “We expect to publish a more detailed discussion of the exploit chain in the future.”

“Regular” users are advised to update their devices as soon as possible, but users who are at risk of highly targeted cyberattacks with spyware like Pegasus should think about activating Lockdown Mode.

“We believe, and Apple’s Security Engineering and Architecture team has confirmed to us, that Lockdown Mode blocks this particular attack,” the Citizen Lab pointed out.

Another good idea for users that run the latest versions of Apple’s operating systems is to enable Apple Rapid Security Response, which automatically installs security patches as they are made available.

UPDATE (September 12, 2023, 04:30 a.m. ET):

Apple has fixed CVE-2023-41064 in older operating systems: iOS 15.7.9 and iPadOS 15.7.9, macOS Monterey 12.6.9 and macOS Big Sur 11.7.10.

CISA has added the two flaws to its KEV catalog.