Apple has taken swift action by rolling out critical security updates, addressing two fresh zero-day vulnerabilities that had been actively exploited in attacks aimed at iPhone and Mac users. This brings the tally to 13 zero-days that have been successfully patched since the beginning of the year. In their security advisories, Apple stated, "We are aware of reports indicating potential active exploitation of this issue."
Vulnerabilities were detected within the Image I/O and Wallet frameworks, specifically identified as CVE-2023-41064 and CVE-2023-41061.
It’s come to light that CVE-2023-41064 and CVE-2023-41061 vulnerabilities were actively exploited within a zero-click iMessage exploit chain, known as BLASTPASS. This exploit chain was utilised to deploy the NSO Group's Pegasus mercenary spyware onto fully-patched iPhones (running iOS 16.6) through PassKit attachments containing malicious images.
CVE-2023-41064, a buffer overflow vulnerability, is triggered when processing maliciously crafted images, potentially leading to arbitrary code execution on devices lacking the necessary patches.
CVE-2023-41061, on the other hand, exploits a validation issue via a malicious attachment, also allowing for arbitrary code execution on targeted devices.
Apple has addressed these zero-day vulnerabilities in macOS Ventura 13.5.2, iOS 16.6.1, iPadOS 16.6.1, and watchOS 9.6.2 by implementing enhanced logic and memory handling.
The reach of these security flaws is extensive, affecting a wide range of devices, including:
iPhone 8 and later
iPad Pro (all models)
iPad Air 3rd generation and later
iPad 5th generation and later
iPad mini 5th generation and later
Macs running macOS Ventura
Apple Watch Series 4 and later
Thirteen zero-day vulnerabilities have been successfully resolved by Apple in the current year. Since the beginning of the year, Apple has diligently addressed and patched these zero-day exploits, which were exploited in attacks targeting devices running iOS, macOS, iPadOS, and watchOS.
Approximately two months ago, in July, Apple swiftly rolled out out-of-band Rapid Security Response (RSR) updates to address a critical vulnerability, CVE-2023-37450, affecting even fully patched iPhones, Macs, and iPads.
It was acknowledged that the RSR updates had inadvertently caused some web browsing issues on patched devices. To rectify this, Apple promptly released revised and improved versions of the initially problematic patches within two days.
To sum up
The pace at which zero-day vulnerabilities are discovered and exploited underscores the critical importance of robust cyber security measures. Apple's efforts to patch these vulnerabilities have been commendable, but the speed and sophistication of modern cyber attacks demand a proactive approach to security. This is where a cyber security company can play a pivotal role.
Mobile application penetration testing is a valuable service offered by cyber security companies. This involves thoroughly assessing the security of mobile applications, including those on iOS devices. Penetration testers simulate real-world attacks to identify vulnerabilities and weaknesses in the application's code and architecture. By conducting such tests, they can discover and report potential security flaws that might lead to zero-day vulnerabilities being exploited.
In summary, cyber security companies offer a range of services that can help identify, mitigate, and respond to security threats, including zero-day vulnerabilities. Mobile application penetration testing is just one tool that can assist with strengthening your cyber defences, and it plays a crucial role in identifying vulnerabilities specific to mobile applications and devices, making it a valuable asset in enhancing security.
