Update your iPhone and Mac now - Apple has fixed two major security bugs

Tourists swarm outside the Apple Store on Nanjing Road pedestrian street in Shanghai, China, April 5, 2023.
(Image credit: Photo by Costfoto/NurPhoto via Getty Images)

Apple has released a fix for two high-severity vulnerabilities found in iPhone and Mac devices, with users urged to update their devices immediately.

The flaws are tracked as CVE-2023-41064, and CVE-2023-41061. The former is a buffer overflow weakness and can enable arbitrary code execution on vulnerable endpoints. The latter is a validation issue that threat actors can use for the same goal - arbitrary code execution via malicious attachments. 

The two flaws were found in a wide array of Apple’s devices, including all phones from iPhone 8 onward, all iPad Pro models, iPad Air 3rd generation and newer, iPad 5th generation and newer, and iPad mini 5th generation and newer. The flaw also affects Macs powered by macOS Ventura, and Apple Watch Series 4 and newer.

Active exploit

The patch brings macOS Ventura to version 13.5.2, iOS to version 16.6.1, iPadOS to 16.6.1, and watchOS to 9.6.2, so if you’re worried about the flaws, make sure your OS runs these versions. The flaws are being actively abused in the wild, so make sure to apply the patch as soon as you can. 

"Apple is aware of a report that this issue may have been actively exploited," the Cupertino giant said in its security advisory. 

While Apple did not detail who used the flaws and in which campaigns, BleepingComputer cited Citizen Lab, a cybersecurity company claiming the flaws were part of a zero-click iMessage exploit chain named BLASTPASS. The goal of this campaign was to deliver Pegasus, an infamous commercial spyware developed by the now-blacklisted Israeli-based NSO Group. A zero-click attack is just as it sounds - it requires no activity from the victim’s side, making it extremely dangerous.

Apple has been keeping busy this year, with a total of 13 zero-day vulnerabilities having been addressed this year, already. In late July this year, Apple urged its users to apply an emergency update that plugged a hole made by the CVE-2023-38606.

More security news from TechRadar Pro

Via: BleepingComputer

TOPICS

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
Apple's new "Share Item Location" feature for AirTags.
Apple security alert - zero-day patched, so update your devices now
Apple Siri
Update your Apple device now: iOS 18.3.2 fixes a flaw that could be exploited by hackers
An option to add Ambient Music buttons to the iOS 18.4 Control Center.
Apple fixes dangerous zero-day used in attacks against iPhones and iPads
An iPhone with a 10:30am alarm ringing next to an Apple Watch that displays the time as 12:42pm
Apple warns "extremely sophisticated attack" hits iPhones and iPads, so update now
An abstract image of a lock against a digital background, denoting cybersecurity.
Apple CPU security issue could let hackers steal user data from browsers
A man holds a smartphone iPhone screen showing various social media apps including YouTube, TikTok, Facebook, Threads, Instagram and X
A worrying Apple Password App vulnerability reportedly left users exposed for months
Latest in Security
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Broadcom warns of worrying security flaws affecting VMware tools
URL phishing
HaveIBeenPwned owner suffers phishing attack that stole his Mailchimp mailing list
Ransomware
Cl0p resurgence drives ransomware attacks to new highs in 2025
Google Chrome
Google Chrome security flaw could have let hackers spy on all your online habits
cybersecurity
Chinese government hackers allegedly spent years undetected in foreign phone networks
Data leak
A major Keenetic router data leak could put a million households at risk
Latest in News
A young woman is working on a laptop in a relaxed office space.
I’ll admit, Microsoft’s new Windows 11 update surprised me with its usefulness, providing accessibility fixes, a gamepad keyboard layout, and PC spec cards
inZOI promotional material.
inZOI has become the most wishlisted game on Steam, but I wouldn't get too caught up in the hype
Xbox Series X and Xbox wireless controller set to a green background
Xbox Insiders are currently testing a new Game Hub feature that looks useful, but I've got mixed feelings about it
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Broadcom warns of worrying security flaws affecting VMware tools
Nespresso Vertuo Pop machine in Candy Pink with coffee drinks and capsules
My favorite Nespresso coffee maker just got a fresh new makeover, and now I love it even more
Microsoft Surface Laptop and Surface Pro devices on a table.
Hate Windows 11’s search? Microsoft is fixing it with AI, and that almost makes me want to buy a Copilot+ PC