‘Clickless’ Zero-Day Image Processing Vulnerability in iOS, macOS
‘Clickless’ Zero-Day Image Processing Vulnerability in iOS, macOS | |
CVE ID | CVE-2023-41064 / CVE-2023-41061 |
Exploited in the wide | Yes |
Risk Rating\CVSS | 9.8 |
Associated Threat actor \Malware/campaign
| exploited in a chain to install NSO Group’s Pegasus spyware on a victim’s device. |
User Interaction | None |
Affected Products |
Apple iOS 16.6, iPadOS 16.6, macOS Ventura 13.5.1 |
Summary | A buffer overflow issue was addressed with improved memory handling. This issue is fixed in macOS Ventura 13.5.2, iOS 16.6.1 and iPadOS 16.6.1. Processing a maliciously crafted image may lead to arbitrary code execution. |
Analysis |
An unauthenticated remote attacker could exploit this vulnerability to execute arbitrary code, by craft a malicious file and send it to a vulnerable device that is not in “Lockdown Mode.
|
Patch/Mitigation |
The issue is fixed in macOS Ventura 13.5.2, iOS 16.6.1 and iPadOS 16.6.1. |