Apple Patches Two Freshly Exploited Zero-days in Security Update

September 7, 2023

Apple recently pushed out emergency security updates to fix two newly discovered zero-day vulnerabilities that were being exploited to attack users of iPhones and Macs. This brings the total count of exploited zero-days that Apple has patched since the start of the year to 13. The company stated in security advisories that it is aware of reports that these issues may have been actively exploited. The vulnerabilities were found in the Image I/O and Wallet frameworks and have been designated as CVE-2023-41064 and CVE-2023-41061. The former was discovered by security researchers at Citizen Lab, while the latter was found by Apple itself.

CVE-2023-41064 is a buffer overflow vulnerability that is triggered when maliciously crafted images are processed, potentially leading to arbitrary code execution on devices that have not been patched. CVE-2023-41061, on the other hand, is a validation issue that can be exploited using a malicious attachment to gain arbitrary code execution on targeted devices.

Apple has addressed these zero-days in macOS Ventura 13.5.2, iOS 16.6.1, iPadOS 16.6.1, and watchOS 9.6.2, implementing improved logic and memory handling. The range of devices impacted by these security bugs is quite broad, as they affect both older and newer models.

Since the beginning of the year, Apple has patched a total of 13 zero-day bugs that were being exploited in attacks against devices running iOS, macOS, iPadOS, and watchOS. Apple has not yet disclosed details about the attacks that exploited the flaws patched in the latest update, but it did acknowledge that CVE-2023-41064 was discovered and reported by Citizen Labs. The researchers at Citizen Labs have previously reported on other Apple zero-days that were exploited to deploy commercial spyware on computers and iPhones in targeted attacks.

Two months ago, in July, Apple released Rapid Security Response (RSR) updates to address a vulnerability, designated CVE-2023-37450, which impacted fully patched iPhones, Macs, and iPads. However, it was later confirmed that these RSR updates inadvertently caused issues with web browsing on patched devices. Apple subsequently released new, fixed versions of the patches two days later.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.