My next class:

Apple fixes 0-Day Vulnerability in Older Operating Systems

Published: 2023-09-11. Last Updated: 2023-09-11 18:32:28 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

This update fixes the ImageIO vulnerability Apple patched for current operating systems last week. Now, Apple follows up with a patch for its older, but still supported, operating system versions.

According to Citizen Lab, this vulnerability is already being exploited. Exploitation took advantage of the ImageIO vulnerability and a vulnerability in the Apple wallet "PassKit" API to send a "Pass" to the victim, including the malicious image. These older operating systems support PassKit, but it needs to be clarified if they are vulnerable to the PassKit issue.

More details: Apple: https://support.apple.com/en-us/HT201222

Citizen Lab: https://citizenlab.ca/2023/09/blastpass-nso-group-iphone-zero-click-zero-day-exploit-captured-in-the-wild/

 

iOS 15.7.9 and iPadOS 15.7.9 macOS Monterey 12.6.9 macOS Big Sur 11.7.10
CVE-2023-41064 [critical] ChatGPT-CVSS: 9 *** EXPLOITED *** ImageIO
A buffer overflow issue was addressed with improved memory handling.
Processing a maliciously crafted image may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
x x x

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

Keywords: blastpass ios macos patch
0 comment(s)
My next class:

Comments

Login here to join the discussion.


Top of page
Diary Archives