Home > Security Bulletins > Apple 0-Day Vulnerabilities – iOS/iPadOS/watchOS/macOS – CVE-2023-41061, CVE-2023-41064

Apple 0-Day Vulnerabilities – iOS/iPadOS/watchOS/macOS – CVE-2023-41061, CVE-2023-41064

iOS/iPadOS/watchOS/macOS 0-Day Vulnerabilities – Patch Now

8th September 2023

Summary

Apple has released emergency security patches for two 0-day vulnerabilities across its devices. Active exploitation of these vulnerabilities has been identified and used in installation of Pegasus spyware.

  • CVE-2023-41061 (CVSS unavailable) is a validation issue in Wallet that could result in arbitrary code execution when handling a maliciously crafted attachment.
  • CVE-2023-41064 (CVSS unavailable) is a buffer overflow issue in the Image I/O component that could result in arbitrary code execution when processing a maliciously crafted image.

The University of Toronto Monk School’s Citizen Lab announced that the two vulnerabilities have been weaponised as a zero-click iMessage exploit chain named BLASTPASS to deploy Pegasus.

This is the 13th 0-day vulnerability fixed by Apple in 2023.

Spotit recommends that users and IT administrators of all affected devices upgrade to the latest OS version immediately.

Affected Products

  • iOS and iPadOS 16.6 and earlier – iPhone 8 and later, iPad Pro (all models), iPad Air 3rd gen and later, iPad 5th gen and later, and iPad Mini 5th gen and later.
  • macOS 13.5.1 and earlier – macOS devices running macOS Ventura
  • watchOS 9.6.1 and earlier – Apple Watch Series 4 and later