In view of the imminent arrival of iOS 17, iPadOS 17, watchOS 10 and macOS Sonoma, expected a few days after the September 12 event, Apple has released iOS 16.6.1, iPadOS 16.6.1, watchOS 9.6.2 and macOS 13.5.2. These versions include fixes for security vulnerabilities that, according to the Cupertino company, may have been actively exploited.
According to the support page on Apple’s website, in fact, the updates correct two main attack vectors already actively used: CVE-2023-41064 concerns a flaw in ImageIO in macOS and iOS. CVE-2023-41061 is for Wallet on iOS and watchOS. iOS 16.6.1 and iPadOS updates have build number 20G81. The previous build was build 20G75. MacOS Ventura has build number 22G91, watchOS 9.6.3 has build 20U90.
In iOS, iPadOS, and macOS, processing a maliciously created image could lead to arbitrary code execution, allowing a hacker to easily gain access to the operating system. Apple fixed the “ImageIO” process by fixing a buffer overflow issue to improve memory management.
Also fixed an exploit to the Wallet app of iOS and watchOS that could lead, also in this case, to the execution of arbitrary code. The validation issue has been addressed with improved logic.
As reported by Citizen Lab, these vulnerabilities are part of a “BLASTPASS” exploit chain that would have been used to install NSO Group’s Pegasus spyware. The zero-click vulnerability would have allowed attackers to send via iMessage a specially created PassKit (Wallet) image to “infect” the device “without any interaction from the victim”.
Since these updates include important security fixes, we recommend that you install iOS 16.6.1, iPadOS 16.6.1, macOS 13.5.2, and watchOS 9.6.2 as soon as possible.
All updates are available in OTA (Over The Air) mode, through the appropriate menus in the system settings. For installation you must be connected to the Wi-Fi network and have at least 50% autonomy, otherwise just be connected to the charger during the update as long as you have at least 20% of battery remaining.
On both iPhone and iPad with data connectivity, you can also download iOS 16.6.1 and iPadOS 16.6.1 over cellular after turning on the Allow more data on 5G network feature in Settings – Cellular – Cellular Data Options – Data Consumption (on iPhone). Upgrading to watchOS 9.6.2 for Apple Watch, on the other hand, requires connection to the charger and at least 50% battery life.