Apple has released emergency security updates for iOS, iPadOS, macOS, and watchOS systems to counteract two zero-day vulnerabilities that attackers have actively exploited to deliver the notorious NSO Group’s Pegasus mercenary spyware.
The two zero-day vulnerabilities, CVE-2023-41061 and CVE-2023-41064, have distinct characteristics:
- CVE-2023-41061: This validation issue found in the Wallet framework could lead to arbitrary code execution when processing a malicious attachment. Apple discovered this vulnerability internally but received assistance from Citizen Lab, a security research group.
- CVE-2023-41064: An equally critical buffer overflow vulnerability was identified in the Image I/O component. When processing a maliciously crafted image, this flaw could be exploited to execute arbitrary code on a targeted device. Citizen Lab’s security researchers independently discovered this vulnerability.
Apple addressed these vulnerabilities by releasing security updates for the following operating systems and devices:
- iOS 16.6.1 and iPadOS 16.6.1 for iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later.
- macOS Ventura 13.5.2 for Macs running macOS Ventura.
- watchOS 9.6.2 for Apple Watch Series 4 and later.
Citizen Lab disclosed that these vulnerabilities were exploited as part of a sophisticated zero-click iMessage exploit chain named ‘BLASTPASS’. This chain was used to clandestinely deploy NSO Group’s Pegasus spyware onto fully-patched iPhones running iOS 16.6. The chain’s efficiency was alarming, as it compounded iPhones without requiring any interaction from the victims.
The attack vector sent PassKit attachments containing malicious images from an attacker-controlled iMessage account to the intended victim. These attacks bypassed Apple’s BlastDoor sandbox framework, specifically designed to thwart zero-click attacks.
“This latest find shows once again that civil society is targeted by highly sophisticated exploits and mercenary spyware,” said Citizen Lab. The vulnerabilities were uncovered while examining the device belonging to an unidentified individual employed by a Washington, D.C.-based civil society organisation with international offices.
This is the latest in a series of security incidents involving Apple’s products this year, with a total of 13 zero-day vulnerabilities having been exploited in attacks against devices running iOS, macOS, iPadOS, and watchOS.
Governments worldwide use Pegasus and other tools to snoop on their citizens, including the governments of India, Mexico, and Bahrain, among others. Recently, China has banned its officials from using iPhones, which led to a massive slide in Apple shares, with Apple losing about $200 billion in just two days of the news.
The threat landscape is evolving rapidly; as seen in this case, even fully-patched devices are not immune to sophisticated attacks. iPhone users, especially those working in civil society organisations, should immediately apply the patch and take precautions to minimise exposure to such risks.
In the News: Android’s September update: 33 vulnerabilities, zero-day patched
