Apple on Thursday released emergency security updates for iOS, iPadOS, macOS and watchOS to fix two zero-day flaws that were exploited in the wild to deliver NSO Group’s Pegasus mercenary spyware.
The issues are described below –
- CVE-2023-41061 – A validation issue in Wallet that could result in arbitrary code execution when handling a maliciously crafted attachment.
- CVE-2023-41064 – A buffer overflow problem in the Image I/O Component this could result in arbitrary code execution when processing a maliciously crafted image.
While CVE-2023-41064 was discovered by the Citizen Lab at the University of Toronto’s Munk School, CVE-2023-41061 was discovered internally by Apple, with “help” from the Citizen Lab.
Updates are available for the following devices and operating systems –
In a separate alert, Citizen Lab revealed that the two flaws were weaponized as part of a zero-click iMessage exploit chain named BLASTPASS to deploy Pegasus on fully patched iPhones running iOS 16.6.
“The exploit chain was capable of compromising iPhones running the latest version of iOS (16.6) without any interaction from the victim,” specifies the interdisciplinary laboratory. said. “The exploit involved PassKit attachments containing malicious images sent from an attacker’s iMessage account to the victim.”
Additional technical details of the deficiencies have been withheld in light of active exploitation. That said, the exploit would bypass the BlastDoor sandbox framework put in place by Apple to mitigate zero-click attacks.
“This latest discovery once again shows that civil society is the target of highly sophisticated exploits and mercenary spyware,” Citizen Lab said, adding that the issues were discovered last week during a review of the The device of an unidentified individual employed by a civil society organization based in Washington DC. with international offices.
Way Too Vulnerable: Uncovering the State of the Identity Attack Surface
MFA achieved? WFP? Service account protection? Find out how equipped your organization really is against identity threats
Cupertino has so far fixed a total of 13 zero-day bugs in its software since the start of the year. The latest updates also come more than a month after the company released fixes for an actively exploited kernel flaw (CVE-2023-38606).
The news of Zero Day comes as the Chinese government reportedly order A to forbid to forbid central and state government officials to use iPhones and other foreign-branded devices for their work in a bid to reduce their dependence on foreign technology and amid an escalating trade war Chinese-American.
“The real reason (for the ban) is cybersecurity (surprise surprise),” Zuk Avraham, security researcher and founder of Zimperium, said in an article on X (formerly Twitter). “iPhones have the image of being the most secure phones… but in reality, iPhones are not at all safe from simple spying.”
“Don’t believe me? Just look at the number of no-click trading companies like NSO over the years to understand that there is almost nothing an individual, organization or government can do to protect themselves against cyber espionage via iPhones.”