Apple raced to fix zero-day vulnerabilities in iPhones that were used by Pegasus spyware.


On Thursday, Apple issued emergency security patches for watchOS, macOS, iOS, and iPadOS to fix two zero-day vulnerabilities that have been used to distribute mercenary malware developed by NSO Group in the wild.

The problems are explained as follows:

A validation flaw in Wallet (CVE-2023-41061) may allow arbitrary code execution while processing a maliciously created attachment.
A buffer overflow vulnerability in the Image I/O component, identified as CVE-2023-41064, may allow arbitrary code execution when handling maliciously created images.

While the Citizen Lab at the Munk School of the University of Toronto made the discovery of CVE-2023-41064, Apple made the internal discovery of CVE-2023-41061 with “assistance” from the Citizen Lab.

The following hardware and operating systems can receive the updates:

iPhone 8 and after, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later are all compatible with iOS 16.6.1 and iPadOS 16.6.1.
OS X Ventura MacOS devices running macOS Ventura (13.5.2)
For Apple Watch Series 4 and above, watchOS 9.6.2

The twin vulnerabilities have been used as part of a zero-click iMessage attack chain called BLASTPASS, according to a second notice from Citizen Lab, to install Pegasus on fully-patched iPhones running iOS 16.6.

The transdisciplinary laboratory stated that “the exploit chain was capable of compromising iPhones running the latest version of iOS (16.6) without any interaction from the victim.” “PassKit attachments with malicious images sent from an attacker’s iMessage account to the victim were the exploit’s main component.”

We have not disclosed further technical details on the flaws since they are being actively exploited. That being said, the vulnerability is supposed to go through Apple’s BlastDoor sandbox structure, which was put in place to lessen zero-click assaults.

When Citizen Lab examined the device of an unidentified worker for a Washington, D.C.-based civil society organization with international offices last week, they discovered the issues. “This latest find shows once again that civil society is targeted by highly sophisticated exploits and mercenary spyware,” Citizen Lab said.

Since the year’s beginning, Cupertino has patched 13 zero-day problems in its software. The most recent upgrades also come more than a month after the business released patches for a kernel vulnerability (CVE-2023-38606) that is being actively exploited.

As the Sino-US trade war intensifies and in an effort to lessen dependency on foreign technology, the Chinese government is rumored to have issued an order banning central and state government employees from using iPhones and other foreign-branded smartphones for work. This is related to the news of the zero-days.

In a post on X (previously Twitter), security researcher and Zimperium founder Zuk Avraham stated, “The real reason [for the ban] is: cybersecurity (surprise surprise).” “Despite their reputation as the most secure phone, iPhones are not safe against basic espionage at all.”

“Don’t trust me? It is evident from the sheer volume of 0-clicks that commercial firms such as NSO have experienced over the years that there is really little that an individual, an organization, or a government can do to safeguard themselves from iPhone-based cyber espionage.”

(Score: 14) - 4.2/5