Apple Ships updates for Critical Vulnerabilities

Apple has released emergency updates for its suite of operating systems after revealing two critical new vulnerabilities that were exploited by Israeli spyware maker NSO Group to install spyware on devices.

Recent zero-days in Apple products being exploited by NSO were discovered by Citizen Lab in April, and it’s Citizen Lab that discovered one of the two new exploits, Apple revealing the other.

The first vulnerability, tracked as CVE-2023-41064, is a buffer overflow issue in the Image I/O framework. The second vulnerability, tracked as CVE-2023-41061, is a validation issue in the Wallet framework.

Researchers said that it had discovered the Image I/O framework vulnerability, which it has dubbed “BLASTPASS,” while checking the device of an individual employed by a Washington D.C.-based civil society organization with international offices. The zero-day vulnerability had been exploited to install NSO Group’s Pegasus spyware.

Apple has addressed both zero-days in the latest releases for a range of products — iOS and iPadOS 16.6.1, macOS 13.5.2, and watchOS 9.6.2. Along with Mac Ventura, products affected include the iPhone 8 and later, all models of the iPad Pro, the iPad Air 3rd generation and later, the iPad 5th generation and later, the iPad mini 5th generation and later, and the Apple Watch Series 4 and later.

The first zero-day has been addressed with improved memory handling, while the second was fixed by implementing improved logic. All Apple users are urged to update their devices.