Time to Update: Apple Patches 2 iOS Flaws That Launch Malware on iPhone, iPad

UPDATE: Citizen Lab says the vulnerabilities were used in attacks from the notorious Israeli spyware provider NSO Group.

“Last week, while checking the device of an individual employed by a Washington DC-based civil society organization with international offices, Citizen Lab found an actively exploited zero-click vulnerability being used to deliver NSO Group’s Pegasus mercenary spyware,” the group says.

Perhaps the most alarming part is that the attack can compromise an iPhone running the latest version of iOS “without any interaction from the victim,” Citizen Lab adds. Hence, the watchdog group is urging all users to update their iPhones.

Original story:
Hackers have been spotted exploiting two new vulnerabilities in iOS, prompting Apple to release an emergency patch. 

The fix is rolling out via the iOS 16.6.1 and iPadOS 16.6.1 updates, both of which warn: “Apple is aware of a report that this issue may have been actively exploited.”

The first vulnerability, CVE-2023-41064, affects Image I/O, a software framework that helps apps read and write various image formats. According to Apple, a “buffer overflow issue” in Image I/O can be exploited to create a maliciously crafted image, which can trigger iOS to run rogue computer code. This could be abused to download malware to an iPhone. 

Apple Macs also use Image I/O, so the company created a patch for macOS Ventura to protect the products from the threat. 

The company learned of the flaw from Citizen Lab, a watchdog group that often investigates hacking attacks from commercial spyware dealers. Citizen Lab didn’t immediately respond to a request for comment. But it’s possible the vulnerability was uncovered while the group was trying to protect victims from a new spyware threat. 

Recommended by Our Editors

With Citizen Lab’s help, Apple also uncovered the second vulnerability, dubbed CVE-2023-41061, which affects the Apple Wallet app and can be abused to manipulate the Wallet app to run rogue computer code if iOS processes a “malicious crafted attachment.”

Hence, it sounds like both vulnerabilities can allow hackers to remotely attack iPhones by sending malicious files. The company’s fixes for iOS have…