Apple Rushes to Patch Zero-Day Flaws Exploited for Pegasus Spyware on iPhones

Apple on Thursday released emergency security updates for iOS, iPadOS, macOS, and watchOS to address two zero-day flaws that have been exploited in the wild to deliver NSO Group’s Pegasus mercenary spyware.

The issues are described as below –

• CVE-2023-41061 – A validation issue in Wallet that could result in arbitrary code execution when handling a maliciously crafted attachment.
• CVE-2023-41064 – A buffer overflow issue in the Image I/O component that could result in arbitrary code execution when processing a maliciously crafted image.

The updates are available for the following devices and operating systems –

• iOS 16.6.1 and iPadOS 16.6.1 – iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later
• macOS Ventura 13.5.2 – macOS devices running macOS Ventura
• watchOS 9.6.2 – Apple Watch Series 4 and later

Cupertino has so far fixed a total of 13 zero-day bugs in its software since the start of the year. The latest updates also arrive more than a month after the company shipped fixes for an actively exploited kernel flaw (CVE-2023-38606).

News of the zero-days comes as the Chinese government is believed to have ordered a ban prohibiting central and state government officials from using iPhones and other foreign-branded devices for work in an attempt to reduce reliance on overseas technology and amid an escalating Sino-U.S. trade war.

Source: https://thehackernews.com/