Apple Releases Emergency Updates to Address Zero-day Vulnerabilities in macOS Ventura, iOS, and iPadOS (CVE-2023-41064 & CVE-2023-41061)

The Citizen Lab at The University of Torontoʼs Munk School has discovered two critical severity vulnerabilities in Apple macOS Ventura, iOS, and iPadOS. Tracked as CVE-2023-41064 and CVE-2023-41061, the vulnerabilities may allow an attacker to perform arbitrary code execution.

Apple is aware of the active exploitation of these vulnerabilities. The Citizen Lab has mentioned in their blog that Israeli spyware maker NSO Group has been exploiting the vulnerabilities to deliver Pegasus mercenary spyware.

CISA has added the vulnerabilities to its Known Exploited Vulnerabilities Catalog, requesting users to patch it before October 2, 2023.

Zero-day vulnerabilities addressed by Apple this year so far:

CVE-2023-41061

The vulnerability existing in Wallet arises from a validation flaw. An attacker may exploit this vulnerability with a maliciously crafted attachment. Successful exploitation of the vulnerability may result in arbitrary code execution. Apple has fixed the flaw with improved logic.

CVE-2023-41064

The vulnerability originates from a buffer overflow flaw in the ImageIO component. The vulnerability can be exploited by processing a maliciously crafted image. An attacker may exploit the vulnerability to perform arbitrary code execution. Apple has fixed the vulnerability with improved memory handling.

Affected Products and Versions

  • iPhone 8 and later
  • iPad Pro (all models)
  • iPad 5th generation and later
  • iPad Air 3rd generation and later
  • iPad mini 5th generation and later
  • macOS Ventura versions prior to 13.5.2

Mitigation

Customers must upgrade to the latest macOS Ventura 13.5.2, iOS 16.6.1, and iPadOS 16.6.1 to patch the vulnerabilities.

For more information, please visit the Apple security advisories for macOS Ventura, iOS, and iPadOS.

Qualys Detection

Qualys customers can scan their devices with QIDs 610508 and 378841 to detect vulnerable assets.

Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.

References
https://support.apple.com/en-us/HT213906
https://support.apple.com/en-us/HT213905

Leave a Reply

Your email address will not be published. Required fields are marked *