The vulnerabilities tracked as CVE-2023-41064 and CVE-2023-41061, are critical code execution flaws that could allow a malicious attacker to take full control of a vulnerable device. Apple said it is aware of reports that these vulnerabilities may have been actively exploited.
CVE-2023-41064 is a buffer overflow issue in the Image I/O framework of Apple devices that can lead to arbitrary code execution when a maliciously crafted image file is processed. The second flaw, CVE-2023-41061, is a validation issue in the Wallet app that can also result in arbitrary remote code execution.
Both flaws impact a wide range of Apple devices running iOS, iPadOS, macOS, and watchOS. Apple has addressed the vulnerabilities in iOS 16.6.1, iPadOS 16.6.1, macOS Ventura 13.5.2, and watchOS 9.6.2 through improved memory handling and input validation.
The emergency updates come just two months after another set of urgent security patches were released by Apple to fix an actively exploited zero-day vulnerability that affected fully updated iPhones, iPads, and Macs.
So far in 2023, Apple has already patched 13 zero-day vulnerabilities that were being exploited in the wild. While details of the attacks exploiting these latest flaws are unclear, Apple acknowledged that one of them was discovered and reported by researchers at Citizen Lab.
All Apple users are advised to promptly update their devices to the latest software versions to ensure they are protected against these vulnerabilities, which can completely compromise an iPhone, iPad or Mac if exploited successfully.