Apple backports fix for actively exploited 0-day to older macOS and iPhone/iPad devices
Apple’s formidable reputation for robust security received a jolt earlier this month, and recent developments suggest that the wave isn’t over yet. A severe 0-day vulnerability, affecting an array of older Apple devices, has forced the tech giant to go back in time, rolling out patches for gadgets many had thought were safely in the rearview mirror.
Dubbed CVE-2023-41064, the flaw is embedded in the Image I/O process of Apple devices. At its core, it’s a buffer overflow vulnerability – the sort of glitch that offers an attacker the potential to execute arbitrary code on the targeted device. The method? Simple yet effective: luring victims to a carefully crafted malicious website.
What’s more troubling is that Apple has acknowledged that there are already reports of this vulnerability being exploited in the wild. The same vulnerability was swiftly addressed for macOS Ventura and newer iPhone/iPad devices earlier in September, but it appears older devices were left exposed.
The recent update brought the issue to light for devices including:
– iPhone 6s and 7 (covering all models)
– iPhone SE (1st generation)
– iPad Air 2
– iPad mini (4th generation)
– iPod touch (7th generation)
– Mac devices running macOS Monterey 12.6.9 and macOS Big Sur 11.7.10.
Citizen Lab, in a shocking revelation, exposed how CVE-2023-41064 was manipulated as part of a zero-click iMessage exploit chain, ominously titled BLASTPASS. The exploit was utilized to introduce NSO Group’s infamous Pegasus spyware onto iPhones that had all the latest patches, specifically targeting iOS 16.6 via malicious PassKit attachments.
As the ripples spread, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has sounded the alarm. Elevating the vulnerability to its Known Exploited Vulnerabilities catalog, CISA highlights it as a “frequent attack vector for malicious cyber actors.”
This isn’t just a warning. Following a binding operational directive (BOD 22-01) from November 2022, U.S. Federal Civilian Executive Branch Agencies (FCEB) are under the gun to patch all vulnerabilities listed in CISA’s catalog within a stringent timeframe. The deadline for addressing CVE-2023-41064? October 2nd, 2023.
While BOD 22-01 may zero in on U.S. federal agencies, CISA doesn’t leave the private sector out in the cold. With a strong recommendation, private entities are urged to act swiftly and patch the exposed vulnerabilities pronto.
