CVE-2023-41061
published 2023-09-07CVE-2023-41061: A validation issue was addressed with improved logic. This issue is fixed in watchOS 9.6.2, iOS 16.6.1 and iPadOS 16.6.1. A maliciously crafted attachment may…
PriorityP182high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2023-10-02
Exploited in the wild
EPSS
3.15%
86.3th percentile
A validation issue was addressed with improved logic. This issue is fixed in watchOS 9.6.2, iOS 16.6.1 and iPadOS 16.6.1. A maliciously crafted attachment may result in arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | ios_16.6.1_and_ipados | — | — |
| apple | ios_and_ipados | >= unspecified < 16.6 | 16.6 |
| apple | ipados | < 16.6.1 | 16.6.1 |
| apple | iphone_os | < 16.6.1 | 16.6.1 |
| apple | watchos | < 9.6.2 | 9.6.2 |
| apple | watchos | — | — |
| apple | watchos | >= unspecified < 9.6 | 9.6 |
Detection & IOCsextracted from sources · hover to see the quote
- →Hunt for inbound iMessage traffic delivering PassKit (.pkpass) attachments containing embedded images — this is the delivery vector for the BLASTPASS exploit chain targeting CVE-2023-41061 (Wallet) chained with CVE-2023-41064 (ImageIO). ↗
- →CVE-2023-41061 is chained with CVE-2023-41064 (ImageIO buffer overflow); detections should correlate both vulnerabilities being triggered together as part of the same attack sequence. ↗
- →Scope detection to Apple devices running iOS/iPadOS 16.6.1 and earlier, and watchOS 9.6.2 and earlier — these are the confirmed vulnerable versions for CVE-2023-41061. ↗
- ·CVE-2023-41061 affects the Wallet component specifically; the validation issue is in attachment processing, not a memory corruption bug — exploitation relies on the chained ImageIO overflow (CVE-2023-41064) to achieve full code execution. ↗
- ·Apple has confirmed active in-the-wild exploitation of this vulnerability; treat any unpatched device as compromised if it received unexpected PassKit/iMessage attachments from unknown senders. ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
vulncheck7.8HIGH
cisa7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Project0
Blasting Past Webp - Project Zero
project_zero·2025-03-01·CVSS 8.8
CVE-2023-41061 [HIGH] Blasting Past Webp - Project Zero
An analysis of the NSO BLASTPASS iMessage exploit
Posted by Ian Beer, Google Project Zero
On September 7, 2023 Apple issued an out-of-band security update for iOS:
Around the same time on September 7th 2023, Citizen Lab published a blog post linking the two CVEs fixed in iOS 16.6.1 to an "NSO Group Zero-Click, Zero-Day exploit captured in the wild":
"[The target was] an individual employed by a Washington DC-based civil society organization with international offices...
The exploit chain was capable of compromising iPhones running the latest version of iOS (16.6) without any interaction from the victim.
The exploit involved PassKit attachments containing malicious images sent from an attacker iMessage account to the victim."
The day before, on Septembe
GHSA
GHSA-h6m5-xj4q-9xw4: A validation issue was addressed with improved logic
ghsa_unreviewed·2023-09-07
CVE-2023-41061 [HIGH] CWE-20 GHSA-h6m5-xj4q-9xw4: A validation issue was addressed with improved logic
A validation issue was addressed with improved logic. This issue is fixed in watchOS 9.6.2, iOS 16.6.1 and iPadOS 16.6.1. A maliciously crafted attachment may result in arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
VulnCheck
Apple iOS, iPadOS, and macOS ImageIO Buffer Overflow Vulnerability
vulncheck·2023·CVSS 7.8
CVE-2023-41064 [HIGH] CWE-120 Apple iOS, iPadOS, and macOS ImageIO Buffer Overflow Vulnerability
Apple iOS, iPadOS, and macOS ImageIO Buffer Overflow Vulnerability
Apple iOS, iPadOS, and macOS contain a buffer overflow vulnerability in ImageIO when processing a maliciously crafted image, which may lead to code execution. This vulnerability was chained with CVE-2023-41061.
Affected: Apple iOS, iPadOS, and macOS
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://citizenlab.ca/2023/09/blastpass-nso-group-iphone-zero-click-zero-day-exploit-captured-in-the-wild/; https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit; https://support.apple.com/kb/HT213905; https://support.apple.com/kb/HT213906; https://support.apple.com/kb/HT213913; https://suppor
VulnCheck
Apple iOS, iPadOS, and watchOS Wallet Code Execution Vulnerability
vulncheck·2023·CVSS 7.8
CVE-2023-41061 [HIGH] Apple iOS, iPadOS, and watchOS Wallet Code Execution Vulnerability
Apple iOS, iPadOS, and watchOS Wallet Code Execution Vulnerability
Apple iOS, iPadOS, and watchOS contain an unspecified vulnerability due to a validation issue affecting Wallet in which a maliciously crafted attachment may result in code execution. This vulnerability was chained with CVE-2023-41064.
Affected: Apple iOS, iPadOS, and watchOS
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://citizenlab.ca/2023/09/blastpass-nso-group-iphone-zero-click-zero-day-exploit-captured-in-the-wild/; https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit; https://support.apple.com/kb/HT213905; https://support.apple.com/kb/HT213907; https://www.cisa.gov/sites/
CISA
Apple iOS, iPadOS, and macOS ImageIO Buffer Overflow Vulnerability
cisa·2023-09-11·CVSS 7.8
CVE-2023-41064 [HIGH] CWE-120 Apple iOS, iPadOS, and macOS ImageIO Buffer Overflow Vulnerability
Vulnerability: Apple iOS, iPadOS, and macOS ImageIO Buffer Overflow Vulnerability
Affected: Apple iOS, iPadOS, and macOS
Apple iOS, iPadOS, and macOS contain a buffer overflow vulnerability in ImageIO when processing a maliciously crafted image, which may lead to code execution. This vulnerability was chained with CVE-2023-41061.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: https://support.apple.com/en-us/HT213905, https://support.apple.com/en-us/HT213906; https://nvd.nist.gov/vuln/detail/CVE-2023-41064
Remediation Due Date: 2023-10-02
CISA
Apple iOS, iPadOS, and watchOS Wallet Code Execution Vulnerability
cisa·2023-09-11·CVSS 7.8
CVE-2023-41061 [HIGH] Apple iOS, iPadOS, and watchOS Wallet Code Execution Vulnerability
Vulnerability: Apple iOS, iPadOS, and watchOS Wallet Code Execution Vulnerability
Affected: Apple iOS, iPadOS, and watchOS
Apple iOS, iPadOS, and watchOS contain an unspecified vulnerability due to a validation issue affecting Wallet in which a maliciously crafted attachment may result in code execution. This vulnerability was chained with CVE-2023-41064.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: https://support.apple.com/en-us/HT213905, https://support.apple.com/kb/HT213907; https://nvd.nist.gov/vuln/detail/CVE-2023-41061
Remediation Due Date: 2023-10-02
Apple
CVE-2023-41061: watchOS 9.6.2
vendor_apple·2023-09-07·CVSS 7.8
CVE-2023-41061 [HIGH] CVE-2023-41061: watchOS 9.6.2
Apple Security Update: About the security content of watchOS 9.6.2
Product: watchOS
Version: 9.6.2
CVE: CVE-2023-41061
Component: Wallet
Impact: A maliciously crafted attachment may result in arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
Description: A validation issue was addressed with improved logic.
Apple
CVE-2023-41061: iOS 16.6.1 and iPadOS 16.6.1
vendor_apple·2023-09-07·CVSS 7.8
CVE-2023-41061 [HIGH] CVE-2023-41061: iOS 16.6.1 and iPadOS 16.6.1
Apple Security Update: About the security content of iOS 16.6.1 and iPadOS 16.6.1
Product: iOS 16.6.1 and iPadOS
Version: 16.6.1
CVE: CVE-2023-41061
Component: Wallet
Impact: A maliciously crafted attachment may result in arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
Description: A validation issue was addressed with improved logic.
No detection rules found.
No public exploits indexed.
Bleepingcomputer
Apple fixes WebKit zero-day exploited in ‘extremely sophisticated’ attacks
blogs_bleepingcomputer·2025-03-11·CVSS 7.8
CVE-2025-24201 [HIGH] Apple fixes WebKit zero-day exploited in ‘extremely sophisticated’ attacks
## Apple fixes WebKit zero-day exploited in ‘extremely sophisticated’ attacks
## Sergiu Gatlan
Apple said attackers can exploit the CVE-2025-24201 vulnerability using maliciously crafted web content to break out of the Web Content sandbox.
The company has fixed this out-of-bounds write issue with improved checks to prevent unauthorized actions in iOS 18.3.2, iPadOS 18.3.2 , macOS Sequoia 15.3.2 , visionOS 2.3.2 , and Safari 18.3.1 .
The list of devices impacted by this zero-day is quite extensive, as the bug affects older and newer models, including:
iPhone XS and later,
iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later
Macs
Bleepingcomputer
Apple fixes zero-day exploited in 'extremely sophisticated' attacks
blogs_bleepingcomputer·2025-02-10·CVSS 7.8
[HIGH] Apple fixes zero-day exploited in 'extremely sophisticated' attacks
## Apple fixes zero-day exploited in 'extremely sophisticated' attacks
## Sergiu Gatlan
USB Restricted Mode is a security feature ( introduced almost seven years ago in iOS 11.4.1) that blocks USB accessories from creating a data connection if the device has been locked for over an hour. This feature is designed to block forensic software like Graykey and Cellebrite (commonly used by law enforcement) from extracting data from locked iOS devices.
In November, Apple introduced another security feature (dubbed "inactivity reboot") that automatically restarts iPhones after long idle times to re-encrypt data and make it harder to extract by forensic software.
The zero-day vulnerability (tracked as CVE-2025-24200 and reported by Citizen Lab's Bill Marczak) patched today by Apple is an author
Bleepingcomputer
Apple fixes this year’s first actively exploited zero-day bug
blogs_bleepingcomputer·2025-01-27·CVSS 6.5
CVE-2024-23222 [MEDIUM] Apple fixes this year’s first actively exploited zero-day bug
## Apple fixes this year’s first actively exploited zero-day bug
## Sergiu Gatlan
According to the company's official documentation , Core Media "defines the media pipeline used by AVFoundation and other high-level media frameworks found on Apple platforms."
Apple has fixed CVE-2024-23222 with improved memory management in iOS 18.3, iPadOS 18.3, macOS Sequoia 15.3, watchOS 11.3, visionOS 2.3, and tvOS 18.3.
The list of devices impacted by this zero-day is quite extensive, as the bug affects older and newer models, including:
iPhone XS and later,
iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later
macOS Sequoia
Apple Watch Ser
Bleepingcomputer
Apple fixes two zero-days used in attacks on Intel-based Macs
blogs_bleepingcomputer·2024-11-19·CVSS 8.8
CVE-2024-44308 [HIGH] Apple fixes two zero-days used in attacks on Intel-based Macs
## Apple fixes two zero-days used in attacks on Intel-based Macs
## Lawrence Abrams
The JavaScriptCore CVE-2024-44308 flaw allows attackers to achieve remote code execution through maliciously crafted web content. The other flaw, CVE-2024-44309, allows cross-site scripting (CSS) attacks.
The company says it addressed the security flaws in macOS Sequoia 15.1.1 .
As the same components are found in other Apple operating systems, it was also fixed in iOS 17.7.2 and iPadOS 17.7.2 , iOS 18.1.1 and iPadOS 18.1.1 , and visionOS 2.1.1 .
While Apple says both flaws were discovered by Clément Lecigne and Benoît Sevens of Google's Threat Analysis Group, the company has not provided further details on how they were exploited.
BleepingComputer contacted Google to learn how the flaws were exploite
Bleepingcomputer
Apple fixes first zero-day bug exploited in attacks this year
blogs_bleepingcomputer·2024-01-22·CVSS 8.8
[HIGH] Apple fixes first zero-day bug exploited in attacks this year
## Apple fixes first zero-day bug exploited in attacks this year
## Sergiu Gatlan
"Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been exploited," Apple said today.
The company has yet to attribute the discovery of this security vulnerability to a security researcher. Although the company disclosed that it's aware of in-the-wild exploitation, it has yet to publish further details regarding these attacks.
Apple addressed CVE-2024-23222 with improved checks in iOS 16.7.5 and later, iPadOS 16.7.5 and later, and macOS Monterey 12.7.3 and higher, as well as on tvOS 17.3 and later.
The complete list of devices impacted by this WebKit zero-day is quite extensive, as the bug affects older and newer models, i
Sentinelone
Protecting macOS | 7 Strategies for Enterprise Security in 2024
blogs_sentinelone·2024-01-02
Protecting macOS | 7 Strategies for Enterprise Security in 2024
Welcome to 2024! It may be a new year for us all, but it’s very much business as usual for cybersecurity professionals. Last year saw an increase in the number and variety of new threats targeting the macOS platform, and as the influence of the Mac continues to expand in enterprise environments, there is little doubt that 2024 will continue that trend.
In this post, we reflect on the lessons we can learn from the last 12 months of threat activity against Apple’s desktop operating system, and offer 7 strategies for defenders to help bolster their threat hunting, detection and mitigation efforts .
## 1. Don’t Rely on Persistence for Detection
Perhaps the most important lesson that defenders learned from 2023’s crop of macOS malware was that monitoring for persistence methods became a much
Sentinelone
Protecting macOS | 7 Strategies for Enterprise Security in 2024
blogs_sentinelone·2024-01-02
Protecting macOS | 7 Strategies for Enterprise Security in 2024
Welcome to 2024! It may be a new year for us all, but it’s very much business as usual for cybersecurity professionals. Last year saw an increase in the number and variety of new threats targeting the macOS platform, and as the influence of the Mac continues to expand in enterprise environments, there is little doubt that 2024 will continue that trend.
In this post, we reflect on the lessons we can learn from the last 12 months of threat activity against Apple’s desktop operating system, and offer 7 strategies for defenders to help bolster their threat hunting, detection and mitigation efforts.
## 1. Don’t Rely on Persistence for Detection
Perhaps the most important lesson that defenders learned from 2023’s crop of macOS malware was that monitoring for persistence methods became a much
Bleepingcomputer
Apple emergency updates fix recent zero-days on older iPhones
blogs_bleepingcomputer·2023-12-11·CVSS 6.5
[MEDIUM] Apple emergency updates fix recent zero-days on older iPhones
## Apple emergency updates fix recent zero-days on older iPhones
## Sergiu Gatlan
They can let attackers obtain access to sensitive data through and execute arbitrary code using maliciously crafted webpages designed to exploit out-of-bounds and memory corruption bugs on unpatched devices.
Today, Apple addressed the zero-days in iOS 16.7.3, iPadOS 16.7.3 , tvOS 17.2 , and watchOS 10.2 with improved input validation and locking.
The company says the bugs are now also patched on the following list of devices:
iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later
Apple TV HD and Apple TV 4K (all models)
Apple Watch Series 4 and later
Clément Lecigne, a security researcher from Google's Threat
Bleepingcomputer
Apple fixes two new iOS zero-days in emergency updates
blogs_bleepingcomputer·2023-11-30·CVSS 8.6
[HIGH] Apple fixes two new iOS zero-days in emergency updates
## Apple fixes two new iOS zero-days in emergency updates
## Sergiu Gatlan
The company says it addressed the security flaws for devices running iOS 17.1.2, iPadOS 17.1.2 , macOS Sonoma 14.1.2 , and Safari 17.1.2 with improved input validation and locking.
The list of impacted Apple devices is quite extensive, and it includes:
iPhone XS and later
iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later
Macs running macOS Monterey, Ventura, Sonoma
Security researcher Clément Lecigne of Google's Threat Analysis Group (TAG) found and reported both zero-days.
While Apple has not released information regarding ongoing exploitation in
Bleepingcomputer
Apple fixes iOS Kernel zero-day vulnerability on older iPhones
blogs_bleepingcomputer·2023-10-12·CVSS 7.8
CVE-2023-5217 [HIGH] Apple fixes iOS Kernel zero-day vulnerability on older iPhones
## Apple fixes iOS Kernel zero-day vulnerability on older iPhones
## Sergiu Gatlan
Apple has now also fixed the issue in iOS 16.7.1 and iPadOS 16.7.1 with improved checks, but it has yet to reveal who discovered and reported the flaw.
The second one, a bug identified as CVE-2023-5217, is caused by a heap buffer overflow vulnerability within the VP8 encoding of the open-source libvpx video codec library. This flaw could let threat actors gain arbitrary code execution upon successful exploitation.
Even though Apple did not confirm any instances of exploitation in the wild, Google previously patched the libvpx bug as a zero-day in its Chrome web browser. Microsoft also addressed the same vulnerability in its Edge, Teams, and Skype products.
Google attributed the discovery of CVE-2023-521
Bleepingcomputer
Apple emergency update fixes new zero-day used to hack iPhones
blogs_bleepingcomputer·2023-10-04·CVSS 7.8
[HIGH] Apple emergency update fixes new zero-day used to hack iPhones
## Apple emergency update fixes new zero-day used to hack iPhones
## Sergiu Gatlan
While Apple said it addressed the security issue in iOS 17.0.3 and iPadOS 17.0.3 with improved checks, it has yet to reveal who found and reported the flaw.
The list of impacted devices is quite extensive, and it includes:
iPhone XS and later
iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later
Apple also addressed a bug tracked as CVE-2023-5217 and caused by a heap buffer overflow weakness in the VP8 encoding of the open-source libvpx video codec library, which could allow arbitrary code execution following successful exploitation.
While Apple
Tenable
CVE-2023-41064, CVE-2023-4863, CVE-2023-5129: Frequently Asked Questions for ImageIO and WebP/libwebp Zero-Day Vulnerabilities
blogs_tenable·2023-09-27·CVSS 7.8
[HIGH] CVE-2023-41064, CVE-2023-4863, CVE-2023-5129: Frequently Asked Questions for ImageIO and WebP/libwebp Zero-Day Vulnerabilities
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Bleepingcomputer
Apple emergency updates fix 3 new zero-days exploited in attacks
blogs_bleepingcomputer·2023-09-21·CVSS 8.8
[HIGH] Apple emergency updates fix 3 new zero-days exploited in attacks
## Apple emergency updates fix 3 new zero-days exploited in attacks
## Sergiu Gatlan
Apple fixed the three zero-day bugs in macOS 12.7/13.6, iOS 16.7/17.0.1, iPadOS 16.7/17.0.1, and watchOS 9.6.3/10.0.1 by addressing a certificate validation issue and through improved checks.
"Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.7," the company revealed in security advisories describing the security flaws.
The list of impacted devices encompasses older and newer device models, and it includes:
iPhone 8 and later
iPad mini 5th generation and later
Macs running macOS Monterey and newer
Apple Watch Series 4 and later
All three zero-days were found and reported by Bill Marczak of the Citizen Lab at The University of Toronto'
Schneier
Zero-Click Exploit in iPhones
blogs_schneier·2023-09-13·CVSS 7.8
CVE-2023-41064 [HIGH] Zero-Click Exploit in iPhones
## Zero-Click Exploit in iPhones
Make sure you update your iPhones :
Citizen Lab says two zero-days fixed by Apple today in emergency security updates were actively abused as part of a zero-click exploit chain (dubbed BLASTPASS) to deploy NSO Group’s Pegasus commercial spyware onto fully patched iPhones.
The two bugs, tracked as CVE-2023-41064 and CVE-2023-41061 , allowed the attackers to infect a fully-patched iPhone running iOS 16.6 and belonging to a Washington DC-based civil society organization via PassKit attachments containing malicious images.
“We refer to the exploit chain as BLASTPASS. The exploit chain was capable of compromising iPhones running the latest version of iOS (16.6) without any interaction from the victim,” Citizen Lab said .
“The exploit involved PassKit attach
Bleepingcomputer
CISA warns govt agencies to secure iPhones against spyware attacks
blogs_bleepingcomputer·2023-09-11·CVSS 6.5
CVE-2023-41064 [MEDIUM] CISA warns govt agencies to secure iPhones against spyware attacks
## CISA warns govt agencies to secure iPhones against spyware attacks
## Sergiu Gatlan
"Apple is aware of a report that this issue may have been actively exploited," the company said when describing the two Image I/O and Wallet vulnerabilities, tracked as CVE-2023-41064 and CVE-2023-41061 .
The list of impacted devices is quite extensive, as the bugs affect both older and newer models, and it includes:
iPhone 8 and later
iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later
Macs running macOS Ventura
Apple Watch Series 4 and later
Apple fixed the two zero-days in macOS Ventura 13.5.2, iOS 16.6.1, iPadOS 16.6.1, and watchOS 9.6.2 with memory handling and improved logic. Both allow attackers to gain arbitrary c
Bleepingcomputer
Apple zero-click iMessage exploit used to infect iPhones with spyware
blogs_bleepingcomputer·2023-09-07·CVSS 8.8
[HIGH] Apple zero-click iMessage exploit used to infect iPhones with spyware
## Apple zero-click iMessage exploit used to infect iPhones with spyware
## Sergiu Gatlan
"The exploit involved PassKit attachments containing malicious images sent from an attacker iMessage account to the victim."
Citizen Lab also urged Apple customers to update their devices immediately and encouraged those at risk of targeted attacks due to their identity or profession to activate Lockdown Mode .
Apple and Citizen Lab security researchers discovered the two zero-days in the Image I/O and Wallet frameworks.
CVE-2023-41064 is a buffer overflow triggered when processing maliciously crafted images, while CVE-2023-41061 is a validation issue that can be exploited via malicious attachments.
Both allow threat actors to gain arbitrary code execution on unpatched iPhone and iPad devices.
Bleepingcomputer
Apple discloses 2 new zero-days exploited to attack iPhones, Macs
blogs_bleepingcomputer·2023-09-07·CVSS 6.5
CVE-2023-41064 [MEDIUM] Apple discloses 2 new zero-days exploited to attack iPhones, Macs
## Apple discloses 2 new zero-days exploited to attack iPhones, Macs
## Sergiu Gatlan
Citizen Lab also revealed today that the CVE-2023-41064 and CVE-2023-41061 bugs were actively abused as part of as part of a zero-click iMessage exploit chain named BLASTPASS that was used to deploy NSO Group's Pegasus mercenary spyware onto fully-patched iPhones (running iOS (16.6) via PassKit attachments containing malicious images.
CVE-2023-41064 is a buffer overflow weakness that gets triggered when processing maliciously crafted images, and it can lead to arbitrary code execution on unpatched devices.
CVE-2023-41061 is a validation issue that can be exploited using a malicious attachment to also gain arbitrary code execution on targeted devices.
Apple fixed the zero-days in macOS Ventura 13.5.2,
http://seclists.org/fulldisclosure/2023/Sep/4http://seclists.org/fulldisclosure/2023/Sep/5https://support.apple.com/en-us/HT213905https://support.apple.com/en-us/HT213907https://support.apple.com/kb/HT213905https://support.apple.com/kb/HT213907http://seclists.org/fulldisclosure/2023/Sep/4http://seclists.org/fulldisclosure/2023/Sep/5https://support.apple.com/en-us/HT213905https://support.apple.com/en-us/HT213907https://support.apple.com/kb/HT213905https://support.apple.com/kb/HT213907https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-41061
2023-09-07
Published
2023-09-11
Added to CISA KEV
Exploited in the wild