Apple on Thursday released emergency security updates for iOS, iPadOS, macOS, and watchOS to patch two zero-day flaws that have been exploited to distribute NSO Group’s Pegasus mercenary spyware.
The issues are described below –
- CVE-2023-41061 – A validation issue in Wallet that could result in arbitrary code execution when handling a maliciously crafted attachment.
- CVE-2023-41064 – A buffer overflow issue in the Image I/O component that could result in arbitrary code execution when processing a maliciously crafted image.
While CVE-2023-41064 was found by the Citizen Lab at the Munk School at the University of Toronto, CVE-2023-41061 was discovered internally by Apple with the “help” of the Citizen Lab.
The updates are available for the following devices and operating systems –
- iOS 16.6.1 and iPadOS 16.6.1 – iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later
- macOS Ventura 13.5.2 – macOS devices running macOS Ventura
- watchOS 9.6.2 – Apple Watch Series 4 and later
In a separate alert, Citizen Lab revealed that the twin flaws have been weaponized as part of a zero-click iMessage exploit chain called BLASTPASS to deploy Pegasus on fully patched iPhones running iOS 16.6 .
“The exploit chain was able to compromise an iPhone running the latest version of iOS (16.6) without any interaction from the victim,” the interdisciplinary laboratory said. “This exploit consisted of PassKit attachments containing malicious images sent to the victim from the attacked iMessage account.”
Additional technical specifications regarding the vulnerabilities have been withheld in light of active exploitation. That said, the exploit bypasses the Blastdoor sandbox framework established by Apple to mitigate zero-click attacks.
“This latest discovery once again shows that civil society is being targeted by highly sophisticated exploits and spyware for hire,” Citizen Lab said. Washington D.C. last week The issues were discovered during an investigation into the device of an unidentified individual employed by a civil society organization based in international offices in the United States.
Cupertino has fixed a total of 13 zero-day bugs in its software since the beginning of the year. The latest updates also come more than a month after the company shipped a fix for an actively used kernel flaw (CVE-2023-38606).
News of the zero-days comes as the Chinese government is believed to have ordered a ban prohibiting central and state government officials from using iPhones and other foreign-branded devices for work in an attempt to reduce reliance on overseas technology and amid an escalating Sino- U.S. trade war.
“The real reason [for the ban] is (surprisingly) cybersecurity,” security researcher and Zimperium founder Zuk Avraham said in a post on X (formerly Twitter). “The iPhone has an image of being the most secure phone ever…but in reality, iPhones are not secure at all against simple spying.”
“Don’t believe me? Just look at the number of 0-clicks commercial companies like NSO had over the years to understand that there is almost nothing an individual, an organization, or a government can do to protect itself against cyber espionage via iPhones .”