On Thursday, September 7, Apple released urgent security updates for macOS Ventura, iOS 16, iPadOS 16, and watchOS 9 to address two “actively exploited” vulnerabilities:
ImageIO
Available for: macOS Ventura, iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later
Impact: Processing a maliciously crafted image may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
Description: A buffer overflow issue was addressed with improved memory handling.
CVE-2023-41064: The Citizen Lab at The University of Torontoʼs Munk School
Wallet
Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later, Apple Watch Series 4 and later
Impact: A maliciously crafted attachment may result in arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
Description: A validation issue was addressed with improved logic.
CVE-2023-41061: Apple
The Citizen Lab blogged that both vulnerabilities were used in connection with the BLASTPASS exploit chain, which had been capable of compromising iOS 16.6 without any victim interaction. In other words, BLASTPASS was a “zero-click” exploit chain. Evidently, someone using the NSO Group’s Pegasus spyware had leveraged BLASTPASS to hack a Washingon, DC-based individual’s device.
Given that both vulnerabilities have been used in real-world attacks, these updates are urgent.
The updates are named macOS Ventura 13.5.2, iOS 16.6.1 and iPadOS 16.6.1, and watchOS 9.6.2.
No updates are available for previous versions of macOS, iOS, iPadOS, or watchOS. If you’re still using an older Apple operating system, your device is vulnerable. Learn more about dangerously outdated Macs, iPhones (and by extension iPads), and Apple Watches.
To update a Mac running macOS Ventura, go to System Settings > General > Software Update.
If you have any trouble getting the macOS update to show up, either press ⌘R at the Software Update screen, or type in the Terminal softwareupdate -l (that’s a lowercase L) and press Return/Enter.
If you have an iPhone or iPad, go to Settings > General > Software Update to update iOS or iPadOS on your device.
To update watchOS on your Apple Watch, the process is a bit more complicated. First make sure your iPhone is up to date, that both your iPhone and Watch are connected to the same Wi-Fi network, and that the Watch has at least a 50% charge. Then open the Watch app on your phone and tap General > Software Update.
Whenever you’re preparing to update iOS, iPadOS, or macOS, always back up your data before installing any updates. This gives you a restore point if something does not go as planned. See our related article on how to check your macOS backups to ensure they work correctly.
You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: 
