Alerts and Advisories 11 September 2023

Apple Security Update Fixes Vulnerabilities Linked To Pegasus Spyware

Advisory

Advisory
11 September 2023

 

Background

Apple has released security updates for iOS, macOS, iPadOS and watchOS to fix two zero-day vulnerabilities which have been exploited in the wild to compromise Apple products without any interaction from the victim. The exploit allows attackers to target victims with NSO Group’s Pegasus Spyware, without any interaction from the targeted user.

The two known vulnerabilities are tracked as CVE-2023-41064 and CVE-2023-41061.

 

Impact

The vulnerability CVE-2023-41064 allows devices to become susceptible to attack when processing a maliciously crafted image.

The vulnerability CVE-2023-41061 creates security issues if a device handles a maliciously crafted attachment.

 

System Affected

  • iPhone 8 and later
  • iPad Pro (all models)
  • iPad Air 3rd generation and later
  • iPad 5th generation and later
  • iPad mini 5th generation and later
  • Macs running macOS Ventura
  • Apple Watch Series 4 and later

 

Recommendations

 

  • Users of iPhone, iPad, Mac and Apple Watch are advised to update their operating system to the latest versions immediately:
    • iOS 16.6.1
    • iPadOS 16.6.1
    • macOS Ventura 13.5.2
    • watchOS 9.6.2
  • Regularly update your operating system and other software programs to ensure that vulnerabilities are patched.
  • Install reliable antivirus software and regularly update it, to detect and remove any malware infections on your computer.
  • Use strong, unique passwords for all your accounts, and avoid reusing the same password across multiple accounts.
  • Implement multi-factor authentication for all services if possible, especially for email, virtual private networks, and accounts that access critical systems.
  • Keep multiple and separate backups of data. Regularly back up your important files to an external hard drive or cloud storage service. This will ensure that you have a copy of your data in case of any cyber- related attack.
  • Avoid downloading software or apps from untrusted sources.
  • Enable your computer's firewall to help protect against unauthorized access to the system.
  • Deploy network monitoring tools to help identify abnormal activities in the network, audit user accounts and disable unused ports and services.

 

References

https://therecord.media/apple-discloses-two-zero-days-in-new-updates
https://9to5mac.com/2023/09/07/apple-fixed-zero-day-exploit-used-by-pegasus-spyware-with-ios-16-6-1/
https://nvd.nist.gov/vuln/detail/CVE-2023-41064