overview

Two zero-day vulnerabilities tracked as CVE-2023-41046 and CVE-2023-41061 have been found in all Apple products – this includes the iPad, Apple Watch, macOS, and iPhone. The vulnerabilities can be exploited to deploy NSO Group’s Pegasus spyware.  

According to Apple, the first vulnerability, CVE-2023-41064, is a buffer overflow vulnerability within the Image I/O component, potentially enabling arbitrary code execution when processing a maliciously crafted image.  The second vulnerability, CVE-2023-41061, is a validation flaw located in Wallet that could enable arbitrary code execution when processing a maliciously crafted attachment.  

Both vulnerabilities have been exploited in the wild and weaponized by attackers in the zero-click iMessage exploit chain called BLASTPASS, enabling them to deploy Pegasus on fully patched iPhones running iOS 16.6. Citizen Lab explained that the exploit chain could compromise iPhones running the latest iOS version (16.6) via malicious PassKit attachments without requiring any action from the victim.  

Apple has not disclosed technical specifics, but the exploit can evade Apple's BlastDoor sandbox framework, which is designed to counteract zero-click attacks. The zero days have been fixed in the following:  

  • macOS Ventura 13.5.2  
  • iOS 16.6.1 
  • iPadOS 16.6.1 
  • watchOS 9.6.2 with improved logic and memory handling 

The list of impacted devices is extensive but CVE-2023-41064 and CVE-2023-41061 affect both older and newer device models, such as iPhone 8 and later, Macs running macOS Venture, and all iPad Pro models. Avertium highly recommends that Apple product users patch immediately.  

 

 

avertium's recommendationS

  • The following products are impacted by CVE-2023-41064 and CVE-2023-41061:  

    • macOS Ventura 
    • iPhone 8 and later  
    • iPad Pro (all models)  
    • iPad Air 3rd generation and later  
    • iPad 5th generation and later 
    • iPad mini 5th generation and later 
    • Apple Watch Series 4 and later 
  • Apple has released security updates for CVE-2023-41064 and CVE-2023-41061. You can find details regarding those updates in their advisory 

 

 

INDICATORS OF COMPROMISE (IoCs)

At this time, there are no known IoCs associated with CVE-2023-41064 and CVE-2023-41061. Avertium remains vigilant in locating IoCs for our customers. Should any be located, Avertium will disclose them as soon as possible. For more information on how Avertium can help protect your organization, please reach out to your Avertium Service Delivery Manager or Account Executive.

 

 

How Avertium is Protecting Our CUSTOMERS

While Apple products are not widely used at an enterprise level, these devices could provide an attack vector to company executives. Avertium is raising awareness among our customers to patch this vulnerability before it’s too late. 







SUPPORTING DOCUMENTATION

Apple security releases - Apple Support 

Apple discloses 2 new zero-days exploited to attack iPhones, Macs (bleepingcomputer.com) 

Apple Rushes to Patch Zero-Day Flaws Exploited for Pegasus Spyware on iPhones (thehackernews.com) 

Apple zero-click iMessage exploit used to infect iPhones with spyware (bleepingcomputer.com) 

BLASTPASS: NSO Group iPhone Zero-Click, Zero-Day Exploit Captured in the Wild - The Citizen Lab 
Chat With One of Our Experts



Zero-Day Vulnerability Flash Notice Apple Apple Zero-Day Vulnerability Blog