{"id":98760,"date":"2023-09-07T12:19:16","date_gmt":"2023-09-07T19:19:16","guid":{"rendered":"https:\/\/www.intego.com\/mac-security-blog\/?p=98760"},"modified":"2023-09-07T14:29:52","modified_gmt":"2023-09-07T21:29:52","slug":"apple-patches-2-actively-exploited-vulns-in-macos-ventura-ios-16-watchos-9","status":"publish","type":"post","link":"https:\/\/www.intego.com\/mac-security-blog\/apple-patches-2-actively-exploited-vulns-in-macos-ventura-ios-16-watchos-9\/","title":{"rendered":"Apple patches 2 actively exploited vulns in macOS Ventura, iOS 16, watchOS 9"},"content":{"rendered":"

\"\"<\/p>\n

On Thursday, September 7, Apple released urgent security updates for macOS Ventura, iOS 16, iPadOS 16, and watchOS 9 to address two “actively exploited” vulnerabilities:<\/p>\n

ImageIO<\/strong><\/p>\n

Available for: macOS Ventura, iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later<\/p>\n

Impact: Processing a maliciously crafted image may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.<\/span><\/p>\n

Description: A buffer overflow issue was addressed with improved memory handling.<\/p>\n

CVE-2023-41064: The Citizen Lab at The University of Toronto\u02bcs Munk School<\/p>\n

 <\/p>\n

Wallet<\/strong><\/p>\n

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later, Apple Watch Series 4 and later<\/p>\n

Impact: A maliciously crafted attachment may result in arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.<\/span><\/p>\n

Description: A validation issue was addressed with improved logic.<\/p>\n

CVE-2023-41061: Apple<\/p><\/blockquote>\n

The Citizen Lab blogged<\/a> that both vulnerabilities were used in connection with the BLASTPASS exploit chain, which had been capable of compromising iOS 16.6 without any victim interaction. In other words, BLASTPASS was a “zero-click” exploit chain. Evidently, someone using the NSO Group’s Pegasus spyware had leveraged BLASTPASS to hack a Washingon, DC-based individual’s device.<\/p>\n

Given that both vulnerabilities have been used in real-world attacks, these updates are urgent.<\/p>\n

The updates are named macOS Ventura 13.5.2<\/a>, iOS 16.6.1 and iPadOS 16.6.1<\/a>, and watchOS 9.6.2<\/a>.<\/p>\n

No updates are available for previous versions of macOS, iOS, iPadOS, or watchOS.<\/strong> If you’re still using an older Apple operating system, your device is vulnerable. Learn more about dangerously outdated Macs<\/a>, iPhones<\/a> (and by extension iPads), and Apple Watches<\/a>.<\/p>\n

How to install Apple security updates<\/h3>\n

To update a Mac running macOS Ventura<\/strong>, go to System Settings > General > Software Update.<\/p>\n

If you have any trouble getting the macOS update to show up, either press \u2318R at the Software Update screen, or type in the Terminal softwareupdate -l<\/code> (that\u2019s a lowercase L) and press Return\/Enter.<\/p>\n

If you have an iPhone or iPad<\/strong>, go to Settings > General > Software Update to update iOS or iPadOS on your device.<\/p>\n

To update watchOS on your Apple Watch<\/strong>, the process is a bit more complicated. First make sure your iPhone is up to date, that both your iPhone and Watch are connected to the same Wi-Fi network, and that the Watch has at least a 50% charge. Then open the Watch app on your phone and tap General > Software Update.<\/p>\n

Whenever you’re preparing to update iOS, iPadOS, or macOS, always back up your data<\/strong> before installing any updates. This gives you a restore point if something does not go as planned. See our related article on how to check your macOS backups to ensure they work correctly<\/a>.<\/a><\/p>\n

How to Verify Your Backups are Working Properly<\/a><\/p><\/blockquote>\n