Security & Privacy

Apple patches 2 actively exploited vulns in macOS Ventura, iOS 16, watchOS 9

Posted on by

On Thursday, September 7, Apple released urgent security updates for macOS Ventura, iOS 16, iPadOS 16, and watchOS 9 to address two “actively exploited” vulnerabilities:

ImageIO

Available for: macOS Ventura, iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: Processing a maliciously crafted image may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

Description: A buffer overflow issue was addressed with improved memory handling.

CVE-2023-41064: The Citizen Lab at The University of Torontoʼs Munk School

 

Wallet

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later, Apple Watch Series 4 and later

Impact: A maliciously crafted attachment may result in arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

Description: A validation issue was addressed with improved logic.

CVE-2023-41061: Apple

The Citizen Lab blogged that both vulnerabilities were used in connection with the BLASTPASS exploit chain, which had been capable of compromising iOS 16.6 without any victim interaction. In other words, BLASTPASS was a “zero-click” exploit chain. Evidently, someone using the NSO Group’s Pegasus spyware had leveraged BLASTPASS to hack a Washingon, DC-based individual’s device.

Given that both vulnerabilities have been used in real-world attacks, these updates are urgent.

The updates are named macOS Ventura 13.5.2, iOS 16.6.1 and iPadOS 16.6.1, and watchOS 9.6.2.

No updates are available for previous versions of macOS, iOS, iPadOS, or watchOS. If you’re still using an older Apple operating system, your device is vulnerable. Learn more about dangerously outdated Macs, iPhones (and by extension iPads), and Apple Watches.

How to install Apple security updates

To update a Mac running macOS Ventura, go to System Settings > General > Software Update.

If you have any trouble getting the macOS update to show up, either press ⌘R at the Software Update screen, or type in the Terminal softwareupdate -l (that’s a lowercase L) and press Return/Enter.

If you have an iPhone or iPad, go to Settings > General > Software Update to update iOS or iPadOS on your device.

To update watchOS on your Apple Watch, the process is a bit more complicated. First make sure your iPhone is up to date, that both your iPhone and Watch are connected to the same Wi-Fi network, and that the Watch has at least a 50% charge. Then open the Watch app on your phone and tap General > Software Update.

Whenever you’re preparing to update iOS, iPadOS, or macOS, always back up your data before installing any updates. This gives you a restore point if something does not go as planned. See our related article on how to check your macOS backups to ensure they work correctly.

How to Verify Your Backups are Working Properly

How can I learn more?

Each week on the Intego Mac Podcast, Intego’s Mac security experts discuss the latest Apple news, security and privacy stories, and offer practical advice on getting the most out of your Apple devices. Be sure to follow the podcast to make sure you don’t miss any episodes.

You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: Follow Intego on Twitter Follow Intego on Facebook Follow Intego on YouTube Follow Intego on Pinterest Follow Intego on LinkedIn Follow Intego on Instagram Follow the Intego Mac Podcast on Apple Podcasts

About Joshua Long

Joshua Long (@theJoshMeister), Intego's Chief Security Analyst, is a renowned security researcher and writer, and an award-winning public speaker. Josh has a master's degree in IT concentrating in Internet Security and has taken doctorate-level coursework in Information Security. Apple has publicly acknowledged Josh for discovering an Apple ID authentication vulnerability. Josh has conducted cybersecurity research for more than 25 years, which is often featured by major news outlets worldwide. Look for more of Josh's articles at security.thejoshmeister.com and follow him on X/Twitter, LinkedIn, and Mastodon. View all posts by Joshua Long →