Apple has released security updates that address two actively exploited vulnerabilities in various versions of macOS, iOS, watchOS and iPadOS. If exploited, the vulnerabilities can lead to arbitrary code execution.
One of the flaws (CVE-2023-41064) exists in the Image I/O framework, which allows applications to read and write most image file formats. The buffer overflow issue was addressed by Apple with improved memory handling.
For this flaw, “processing a maliciously crafted image may lead to arbitrary code execution,” the company said in a Thursday security advisory. “Apple is aware of a report that this issue may have been actively exploited.”
The second flaw (CVE-2023-41061) is a validation issue in Apple’s Wallet feature, which allows users to store their cards and passes. According to Apple, a maliciously crafted attachment could lead to arbitrary code execution. The bug was addressed with improved logic.
Both bugs impact iPhone 8 and later, all models of the iPad Pro, iPad Air 3rd generation and later, iPad 5th generation and later, and the iPad mini 5th generation and later. Meanwhile, the bug tied to CVE-2023-41061 also impacts Apple Watch Series 4 and later; while the flaw tied to CVE-2023-41064 additionally affects macOS Ventura. Apple has rolled out iOS 16.6.1, iPadOS 16.6.1, watchOS 9.6.2 and macOS Ventura 13.5.2 to address the security flaws.
While CVE-2023-41064 was found by The Citizen Lab at The University of Torontoʼs Munk School, CVE-2023-41061 was discovered internally by Apple, with “assistance” from Citizen Lab.
“For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available,” said Apple.
Apple over the past few months has rolled out fixes for various actively exploited bugs, including through an update addressing a WebKit flaw (CVE-2023-37450) impacting iOS, macOS and iPadOS in July and one addressing an integer overflow flaw (CVE-2023-32434) impacting watchOS, macOS and iPadOS in June.
Article Link: Apple Fixes Two Actively Exploited Flaws | Decipher