Gandalf_The_Grey
Level 84
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
- Apr 24, 2016
- 7,497
Apple released emergency security updates to fix two new zero-day vulnerabilities exploited in attacks targeting iPhone and Mac users, for a total of 13 exploited zero-days patched since the start of the year.
"Apple is aware of a report that this issue may have been actively exploited," the company revealed in security advisories describing the security flaws.
The bugs were all found in the Image I/O and Wallet frameworks and are tracked as CVE-2023-41064 (discovered by Citizen Lab security researchers) and CVE-2023-41061 (discovered by Apple).
CVE-2023-41064 is a buffer overflow weakness that gets triggered when processing maliciously crafted images, and it can lead to arbitrary code execution on unpatched devices.
CVE-2023-41061 is a validation issue that can be exploited using a malicious attachment to also gain arbitrary code execution on targeted devices.
Apple fixed the zero-days in macOS Ventura 13.5.2, iOS 16.6.1, iPadOS 16.6.1, and watchOS 9.6.2 with improved logic and memory handling.
The list of impacted devices is rather extensive, seeing that the two security bugs affect both older and newer models, and it includes:
- iPhone 8 and later
- iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later
- Macs running macOS Ventura
- Apple Watch Series 4 and later
Apple discloses 2 new zero-days exploited to attack iPhones, Macs
Apple released emergency security updates to fix two new zero-day vulnerabilities exploited in attacks targeting iPhone and Mac users, for a total of 13 exploited zero-days patched since the start of the year.
www.bleepingcomputer.com