On September 7, 2023, Apple released emergency security updates to fix a buffer overflow vulnerability (CVE-2023-41064) and a validation issue vulnerability (CVE-2023-41061) among macOS, iOS, iPadOS, and watchOS products. These vulnerabilities can be exploited with a maliciously crafted attachment or image which leads to arbitrary code execution.
| Vulnerability | Description | Impacted Products |
| CVE-2023-41064 | A Buffer Overflow vulnerability where processing a maliciously crafted image may lead to arbitrary code execution. | macOS, iOS, iPadOS |
| CVE-2023-41061 | A Validation Issue where a maliciously crafted attachment may result in arbitrary code execution. | watchOS, iOS, iPadOS |
Citizen Lab observed these two vulnerabilities being exploited in the wild in a zero-click exploit chain named BLASTPASS to deploy Pegasus, a spyware developed by the Israeli based NSO group to gather information from mobile devices. In the past, NSO group has supplied foreign governments with Pegasus to target government officials, journalists, embassy workers, and other industries. No further technical details have been shared in regard to the specifics of this exploitation chain at this time.
MacOS and iOS can be an attractive target for threat actors to target with spyware as these devices can hold sensitive company data, especially in organizations with a Bring Your Own Device (BYOD) policy where security updates may not be enforced.
Recommendation
Upgrade Apple Products to Fixed Version
Arctic Wolf strongly recommends upgrading MacOS to MacOS Ventura 13.5.2. The update can be performed on an Apple Mac device by going to System Settings > Software Update.
Arctic Wolf also recommends ensuring that iPhone and iPad devices with company data are updated with their respective updates to iOS 16.6.1 and iPadOS 16.6.1 by going to Settings > General > Software Update.
Note: Citizen Lab urges all at-risk users to enable Lockdown mode as this has been confirmed by Apple’s Security Engineering and Architecture team that Lockdown Mode blocks this particular attack.
Please follow your organization’s patching and testing guidelines to avoid operational impact.
