Apple patches “clickless” 0-day image processing vulnerability in iOS, macOS

posted onSeptember 7, 2023
by l33tdawg
Arstechnica
Credit: Arstechnica

Apple has released security updates for iOS, iPadOS, macOS, and watchOS today to fix actively exploited zero-day security flaws that can be used to install malware via a "maliciously crafted image" or attachment. The iOS 16.6.1, iPadOS 16.6.1, macOS 13.5.2, and watchOS 9.6.2 updates patch the flaws across all of Apple's platforms. As of this writing, no updates have been released for older versions like iOS 15 or macOS 12.

The CVE-2023-41064 and CVE-2023-41061 flaws were reported by the Citizen Lab at the Munk School of Global Affairs & Public Policy at the University of Toronto. Also dubbed "BLASTPASS," Citizen Lab says that the bugs are serious because they can be exploited just by loading an image or attachment, which happens regularly in Safari, Messages, WhatsApp, and other first- and third-party apps. These bugs are also called "zero-click" or "clickless" vulnerabilities.

Citizen Lab also said that the BLASTPASS bug was "being used to deliver NSO Group’s Pegasus mercenary spyware," the latest in a long line of similar exploits that have been used to infect fully patched iOS and Android devices.

Source

Tags

Apple Security

You May Also Like

Other Articles In This Section

Recent News

Monday, May 20th

WikiLeaks' Julian Assange Can Appeal His Extradition to the US, British Court Says
Craig Wright Lied About Creating Bitcoin And Faked Evidence, Judge Rules
Two students find security bug that could let millions do laundry for free
Lazarus Group Moves $147.5M in Stolen Crypto (BTC, ETH) to North Korea, UN Report Reveals
Time Is Running Out in the Hunt for Rare Bitcoin
“Unprecedented” Google Cloud event wipes out customer account and its backups
What happened to OpenAI’s long-term AI risk team?

Thursday, May 16th

Flaw in Wi-Fi Standard Can Enable SSID Confusion Attacks
Linux maintainers were infected for 2 years by SSH-dwelling backdoor with huge reach
MIT students stole $25M in seconds by exploiting ETH blockchain bug
BreachForums, an online bazaar for stolen data, seized by FBI

Wednesday, May 15th

It’s the End of Google Search As We Know It
Google strikes back at OpenAI with “Project Astra” AI agent prototype

Tuesday, May 14th

Security researcher says PoC for kernel vulnerability targeting iOS 17.4.1 and older coming soon
Apple releases iOS 17.5, macOS 14.5, and other updates as new iPads launch
Disarmingly lifelike: ChatGPT-4o

Monday, May 13th

FBI To Charge Teenager Hackers From Scattered Spider Who Hacked Hundreds Of Organizations
JTAG Hacking An SSD With A Pi: A Primer
As of May 2024, Black Basta ransomware affiliates hacked over 500 organizations worldwide
North Korean hackers deploy ‘Durian’ malware, targeting crypto firms
Interview With the Russian-Military-Linked Hackers Targeting US Water Utilities
Google patches its fifth zero-day vulnerability of the year in Chrome
OpenAI revs up plans for web search, but denies report of an imminent launch

Friday, May 10th

Boeing Confirms Lockbit Hackers Wanted $200 Million Ransom After 2023 Hack
Dell discloses data breach of customers’ physical addresses
Poland says it was targeted by Russian military intelligence hackers
Leaked FBI email stresses need for warrantless surveillance of Americans
Stack Overflow users sabotage their posts after OpenAI deal
Fedora Asahi Remix 40 is another big step forward for Linux on Apple Silicon Macs
6 Practical Tips for Using Anthropic's Claude Chatbot

Thursday, May 9th

OpenAI Is ‘Exploring’ How to Responsibly Generate AI Porn
Dell responds to return-to-office resistance with VPN, badge tracking
Hands-on with the new iPad Pros and Airs: A surprisingly refreshing refresh

Wednesday, May 8th

Chinese Hackers Deployed Backdoor Quintet to Down MITRE
Apple announces M4 with more CPU cores and AI focus