Black Arrow Cyber Advisory 08 September 2023 – Apple Discloses 2 New Zero-days Actively Exploited to Attack iPhones and Macs
Executive Summary
Apple have released emergency updates to fix two actively exploited new zero-day vulnerabilities which target iPhone and Mac users. The vulnerabilities, if exploited on an unpatched Apple device, allow attacks to execute arbitrary code through the use of maliciously crafted images and attachments.
What’s the risk to me or my business?
Exploitation of the vulnerabilities has already been used as part of zero-click iMessage exploits to deploy Pegasus mercenary software. This allows attackers execute code to perform actions such as extracting messages, photos, emails, and recording calls, impacting the confidentiality, integrity and availability of data.
Patches are available in:
macOS Ventura 13.5.2: Available for devices running macOS Ventura.
iOS 16.6.1 and iPadOS 16.6.1: Available for iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later.
Technical Summary:
CVE-2023-41064 – A buffer overflow weakness that when processing maliciously crafted images, can lead to arbitrary code execution
CVE-2023-41061 – a validation issue which can be exploited through a malicious attachment to also gain arbitrary code execution
What can I do?
Users are recommended the apply the patches as soon as possible due to their active exploitation in the wild. Organisations should also be aware that the patches mean employees using Apple BYOD devices will need to apply the relevant patches, as this impacts corporate information which the devices have access to.
Further information can be found below: