CVE-2023-41064 - Understanding the Apple ImageIO Buffer Overflow Vulnerability

In August 2023, Apple released critical security updates to address several vulnerabilities affecting macOS and iOS. One of the most serious among these is CVE-2023-41064, a buffer overflow vulnerability found in Apple’s ImageIO framework. This flaw can enable attackers to execute arbitrary code on your Apple device just by getting you to open or view a specially-crafted image.

In this post, we'll break down what the vulnerability is, how it works, which systems are at risk, and what you can do to protect your devices.

What is CVE-2023-41064?

CVE-2023-41064 is a buffer overflow issue that was present in Apple’s ImageIO, a core framework used to process images across macOS, iOS, and iPadOS. This bug could allow an attacker to run their own code on a target’s device if they succeed in getting the victim to open, or even preview, a malicious image file (like a .png, .jpg, or .tiff).

Apple’s brief advisory

> *Processing a maliciously crafted image may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.*

This means attackers may have already used this weakness in real-world attacks ("zero-day").

iPadOS before 16.6.1 and before 15.7.9

Safe versions:

iOS 15.7.9 and iPadOS 15.7.9

Update now!
To stay protected, make sure you have installed the latest updates.

Technical Explanation

At its core, a buffer overflow happens when a program writes more data to a memory buffer than it is supposed to hold. In the case of CVE-2023-41064, this flaw existed in the way ImageIO handled certain image files.

A malicious image could be crafted so that when ImageIO tries to process it, it overwrites portions of memory it shouldn’t access. Skilled attackers can use this to inject and run their own code—for example, installing spyware, stealing data, or taking over the device.

The image is sent via email, message, website, or social media.

3. The user opens or previews the image. Even sometimes "Quick Look" or seeing it in Messages could trigger the bug.

The code embedded in the image runs on the user’s device, possibly without any visible sign.

This is a “zero-click” attack surface—the victim doesn’t necessarily have to open the image file explicitly; just viewing it in a preview or thumbnail might be enough.

Sample Proof-of-Concept (PoC) Attack Code

*Note: This code is illustrative. For real-world usage, attackers need to understand ImageIO's image decoding process and craft a corrupt image format that trips the vulnerability. Actual exploit details are not publicly released by Apple or security researchers for safety reasons. But here's a simplified example to understand the concept:*

#include <stdio.h>
#include <string.h>

void vulnerable_function(char *input) {
    char buffer[256];
    // No bounds checking!
    strcpy(buffer, input);
    // ... processing, image decoding
    printf("Buffer content: %s\n", buffer);
}

int main(int argc, char *argv[]) {
    if (argc > 1) {
        vulnerable_function(argv[1]);
    }
    return ;
}

*If you pass a string longer than 256 characters, strcpy() will overflow the buffer, possibly overwriting return addresses. Real exploits would insert shellcode or ROP chains at this step.*

Real Scenario

Real attackers would embed their payload in parts of the image file’s metadata or pixel data to trigger the overflow in ImageIO's parsing routines. The attack would require deep knowledge of the image file structure and the internal workings of ImageIO.

Was CVE-2023-41064 Used in Real Attacks?

Yes. According to Apple, there are credible reports that this vulnerability has been exploited "in the wild" as a zero-day. News outlets and researchers linked this bug, together with another one (CVE-2023-41061, a WebKit bug), to major spyware operations, such as the Pegasus spyware targeting high-profile individuals.

Apple Security Update advisory:

Apple Security Updates

CVE report at MITRE:

CVE-2023-41064

Citizenlab report on related zero-click attacks:

https://citizenlab.ca/2023/09/blastpass-zero-click-exploit-apple-triage/

Be wary of unsolicited image files, even from contacts—attacks may come from compromised accounts.

- If you handle sensitive information, consider turning off iMessage and FaceTime until after updating.

Conclusion

CVE-2023-41064 highlights how even opening an image file can put your device at risk—especially if you’re slow to install updates. Apple’s rapid patch response reflects the seriousness of this vulnerability and how quickly attackers can exploit new bugs.

Stay protected: Update your Apple devices now, and stay alert!

Timeline

Published on: 09/07/2023 18:15:00 UTC
Last modified on: 09/12/2023 13:09:00 UTC