Title: Apple Emergency Security Updates Patch Zero-Days Used to Deploy Pegasus Spyware on iPhones
Subtitle: NSO Group’s Pegasus spyware infiltrated fully patched iPhones using zero-click exploit chain via PassKit attachments
Date: [Insert Date]
Citizen Lab, a cybersecurity watchdog organization, has revealed that two zero-day vulnerabilities, known as CVE-2023-41064 and CVE-2023-41061, were actively exploited to deploy the notorious Pegasus spyware onto fully patched iPhones. The zero-click exploit chain was employed to infiltrate iPhones running the latest version of iOS (16.6) without any interaction from the victim.
The attack vector included PassKit attachments that contained malicious images, which were sent from an attacker’s iMessage account to the targeted device. This allowed the attackers to infect a fully-patched iPhone belonging to a civil society organization based in Washington DC.
Citizen Lab labeled the exploit chain as “BLASTPASS” and emphasized the severity of the vulnerabilities. They advised Apple customers to update their devices immediately and recommended the activation of Lockdown Mode for individuals who might be at risk of targeted attacks due to their identity or profession.
The two zero-day vulnerabilities were discovered by Apple and Citizen Lab security researchers in the Image I/O and Wallet frameworks. CVE-2023-41064 is a buffer overflow vulnerability that is triggered when processing maliciously crafted images. On the other hand, CVE-2023-41061 is a validation issue that can be exploited through malicious attachments.
Apple promptly addressed the flaws in its recent emergency security updates, including macOS Ventura 13.5.2, iOS 16.6.1, iPadOS 16.6.1, and watchOS 9.6.2. The updates incorporated improved logic and memory handling to mitigate these vulnerabilities.
The list of affected devices includes iPhone 8 and later models, all models of iPad Pro, iPad Air 3rd generation and later, iPad 5th generation and later, iPad mini 5th generation and later, Macs running macOS Ventura, and Apple Watch Series 4 and later.
This incident highlights the ongoing efforts by malicious actors to exploit security vulnerabilities in Apple’s ecosystem. Since the beginning of the year, Apple has addressed a total of 13 zero-day vulnerabilities targeted at various devices running iOS, macOS, iPadOS, and watchOS.
Apple remains committed to ensuring the security and privacy of its users, and it is crucial for users to promptly update their devices to protect against potential threats. Regular software updates and vigilance are key in safeguarding against cyberattacks and the deployment of spyware.