Only days before the Apple Wonderlust event, Apple has surprisingly released iOS 16.6.1, bringing important security updates, both of which are already being used in real-life attacks.
The CVE-2023-41064 and CVE-2023-41061 flaws were reported by the Citizen Lab at the Munk School of Global Affairs & Public Policy at the University of Toronto.
Also dubbed “BLASTPASS,” Citizen Lab says that the bugs are serious because they can be exploited just by loading an image or attachment, which happens regularly in Safari, Messages, WhatsApp, and other first- and third-party apps.
These bugs are also called “zero-click” or “clickless” vulnerabilities.
First, there’s ImageIO, which is the bit of the code that means apps can read and write image file formats. It also permits access to the metadata attached to an image.
This may already have been exploited, Apple says, and notes that the fix came about “by addressing a buffer overflow issue to improve memory handling.”
Secondly, and totally crucial, is a security issue that affects the Wallet app. Again, this may already have been exploited out in the real world, Apple acknowledges. It seems it was down to a validation issue and “was addressed with improved logic.”
iOS 16.6.1 Security Fixes
ImageIO
Impact: Processing a maliciously crafted image may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
Description: A buffer overflow issue was addressed with improved memory handling.
Wallet
Impact: A maliciously crafted attachment may result in arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
Description: A validation issue was addressed with improved logic.
iOS 16.6.1 Supported Devices
iOS 16.6.1 will run on all iPhones from iPhone 8 onwards. To be exact:
- iPhone 14
- iPhone 14 Plus
- iPhone 14 Pro
- iPhone 14 Pro Max
- iPhone 13
- iPhone 13 mini
- iPhone 13 Pro
- iPhone 13 Pro Max
- iPhone 12
- iPhone 12 mini
- iPhone 12 Pro
- iPhone 12 Pro Max
- iPhone 11
- iPhone 11 Pro
- iPhone 11 Pro Max
- iPhone Xs
- iPhone XS Max
- iPhone XR
- iPhone X
- iPhone 8
- iPhone 8 Plus
- iPhone SE (2nd generation or later)
As normal, to update to iOS 16.6.1 go to your iPhone Settings > General > Software Update and install iOS 16.6.1 as soon as you possibly can.