Security updates for macOS, iOS/iPadOS close two 0-Days from NSO-Group (Pegasus Spyware)

Apple has released another slew of security updates for its macOS, iOS/iPadOS and also WatchOS operating systems as of September 7, 2023. These updates fix two 0-day vulnerabilities that were abused by NSO Group's Pegasus spyware to monitor mobile devices.

Apple's September 7, 2023 security updates are listed on this company security page. Here is a brief overview of these updates:

• macOS Ventura 13.5.2: The vulnerability CVE-2023-41064 (buffer overflow in the Mac operating system reported by Citizen Lab at the University of Toronto's Munk School has been closed. Processing a manipulated image can lead to the execution of arbitrary code. Apple is aware of a report that this issue may have been actively exploited.
• OS 16.6.1 and iPadOS 16.6.1: These updates for iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5 also close the CVE-2023-41064 vulnerability outlined above.
• watchOS 9.6.2: Fixed a validation issue (CVE-2023-41061) in the operating system for Apple Watch Series 4 and later. A maliciously crafted attachment could lead to the execution of arbitrary code. Apple is aware of a report that this issue may have been actively exploited.

The Record has published some more notes on the CVE-2023-41064 vulnerability discovered by Citizen Lab in this post. The post from Citizen Lab about the 0-day exploit may be found here. The vulnerabilities mentioned above and now closed could be abused by NSO Group's Pegasus spyware to monitor mobile devices.