Apple fixes 0-day “no-click” image processing vulnerability in iOS, macOS
Apple fixes 0-day “no-click” image processing vulnerability in iOS, macOS
Enlarge
Apple
Apple today released security updates for iOS, iPadOS, macOS, and watchOS to address actively exploited zero-day security vulnerabilities that can be used to install malware via a " maliciously crafted image” or an attachment. Updates iOS 16.6.1, iPadOS 16.6.1, macOS 13.5.2, and watchOS 9.6.2 fix flaws across all Apple platforms. As of this writing, no updates have been released for older versions like iOS 15 or macOS 12.
The vulnerabilities CVE-2023-41064 and CVE-2023-41061 were reported by the Citizen Lab at the Munk School of Global Affairs & Public Policy at the University of Toronto. Also dubbed "BLASTPASS," Citizen Lab says the bugs are serious because they can be exploited simply by loading an image or attachment, something that happens regularly in Safari, Messages, WhatsApp, and other first- and third-party apps. These bugs are also called “zero-click” or “no-click” vulnerabilities.
Citizen Lab also said the BLASTPASS bug was "used to spread NSO Group's mercenary Pegasus spyware," the latest in a long line of similar exploits that have been used to infect iOS and Android devices entirely corrected.
Users concerned about these types of vulnerabilities can proactively mitigate them by enabling Lockdown Mode on their iOS and macOS devices; among other things, it blocks many types of attachments and disables link previews, the types of attack vectors that attackers can use to exploit these “no-click” vulnerabilities.
"We believe, and Apple's security architecture and engineering team has confirmed to us, that Lockdown Mode blocks this particular attack," Citizen Lab said.
These updates will likely be among the last to be released before Apple's September product announcement event next week, during which we expect to get release dates for iOS 17, iPadOS 17 and possibly other software.
Apple today released security updates for iOS, iPadOS, macOS, and watchOS to address actively exploited zero-day security vulnerabilities that can be used to install malware via a " maliciously crafted image” or an attachment. Updates iOS 16.6.1, iPadOS 16.6.1, macOS 13.5.2, and watchOS 9.6.2 fix flaws across all Apple platforms. As of this writing, no updates have been released for older versions like iOS 15 or macOS 12.
The vulnerabilities CVE-2023-41064 and CVE-2023-41061 were reported by the Citizen Lab at the Munk School of Global Affairs & Public Policy at the University of Toronto. Also dubbed "BLASTPASS," Citizen Lab says the bugs are serious because they can be exploited simply by loading an image or attachment, something that happens regularly in Safari, Messages, WhatsApp, and other first- and third-party apps. These bugs are also called “zero-click” or “no-click” vulnerabilities.
Citizen Lab also said the BLASTPASS bug was "used to spread NSO Group's mercenary Pegasus spyware," the latest in a long line of similar exploits that have been used to infect iOS and Android devices entirely corrected.
Users concerned about these types of vulnerabilities can proactively mitigate them by enabling Lockdown Mode on their iOS and macOS devices; among other things, it blocks many types of attachments and disables link previews, the types of attack vectors that attackers can use to exploit these “no-click” vulnerabilities.
"We believe, and Apple's security architecture and engineering team has confirmed to us, that Lockdown Mode blocks this particular attack," Citizen Lab said.
These updates will likely be among the last to be released before Apple's September product announcement event next week, during which we expect to get release dates for iOS 17, iPadOS 17 and possibly other software.
Enlarge
Apple
