Apple has issued a security update for vulnerabilities discovered in its products by citizen lab university of Toronto.
The vulnerability which is considered Critical, impacts the watchOS, macOS Ventura, iOS and iPadOS. Apple released security updates on 07th September 2023, which include: watchOS 9.6.2, macOS Ventura 13.5.2, iOS 16.6.1, and iPadOS 16.6.1, addressing these vulnerabilities.
Apple stated that the watchOS vulnerability, which is assigned a CVE-record: CVE-2023-41061, impacts the wallet in watch series 4 and later. This security flaws, allows a maliciously crafted attachment to execute arbitrary code. In a mitigating step, apple has addressed this issue in the watchOS 9.6.2, by fixing the validation issues with improved logic.
Users of Apple watch series 4, and later, are advised to quickly update their devices, to the latest OS update watchOS 9.6.2.
macOS Ventura Vulnerability:
The macOS Ventura vulnerability which is assigned a CVE-record: CVE-2023-41064 is said to impact ImageIO (This is responsible for how apple writes image data). The impact on the affected version of Ventura OS, enables the processing of a maliciously crafted image, which may allow arbitrary code to be executed, and result into buffer-overflow.
Apple stated they are aware, that this might have been actively exploited, and also a security update which addresses the buffer overflow issue has been fixed with improved memory handling. Users are advised to get the latest update macOS Ventura 13.5.2.
iOS and iPadOS Vulnerability:
Apple in its publication stated that iOS and iPadOS, were impacted by two vulnerabilities which are: ImageIO, and Wallet.
ImageIO in iOS and iPadOS:
The vulnerability which is assigned a CVE-record: CVE-2023-41064 was discovered to be available in iPhone model 8, and later, iPad Pro (all models), iPad Air 3rd generations and later, 5th generations of iPad and later, and the iPad mini 5th generations and later.
Apple stated that the vulnerability impact includes all affected models running on older version of iOS and iPadOS; are able to process maliciously crafted images, which may lead to arbitrary code execution, resulting into buffer-overflow. Information disclosed further, shows that apple is aware that this might have been actively exploited.
In a provided mitigation to address this issue, apple stated that the buffer-overflow vulnerability has been addressed, with improved memory handling. Users are advised to get the latest update iOS 16.6.1 and iPadOS 16.6.1, to all affected models that was indicated.
Wallet in iOS and iPadOS:
The vulnerability which is assigned a CVE-record: CVE-2023-41061 was discovered to be available in iPhone model 8, and later, iPad Pro (all models), iPad Air 3rd generations and later, 5th generations of iPad and later, and the iPad mini 5th generations and later.
All described models of Apple iPhone, and iPad, stated above, running on older version of iOS, and iPadOS, enables maliciously crafted attachments to execute arbitrary codes.
The mitigation provided by apple fixes the validation issue with improved logic, in the security update patch in iOS 16.6.1, and iPadOS 16.6.1.
Please do let us know in the comment section what are your thoughts about this.