‘Clickless’ Zero-Day Image Processing

Vulnerability in iOS, macOS

CVE ID

CVE-2023-41064 / CVE-2023-41061

Exploited in the wide

Yes

Risk Rating\CVSS

9.8

Associated Threat actor \Malware/campaign

exploited in a chain to install NSO Group’s Pegasus spyware on a victim’s device.

User Interaction

None

Affected Products

Apple iOS 16.6, iPadOS 16.6, macOS Ventura 13.5.1

Summary

A buffer overflow issue was addressed with improved memory handling. This issue is fixed in macOS Ventura 13.5.2, iOS 16.6.1 and iPadOS 16.6.1. Processing a maliciously crafted image may lead to arbitrary code execution.

Analysis

An unauthenticated remote attacker could exploit this vulnerability to execute arbitrary code, by craft a malicious file and send it to a vulnerable device that is not in “Lockdown Mode.

Patch/Mitigation

The issue is fixed in macOS Ventura 13.5.2, iOS 16.6.1 and iPadOS 16.6.1.