Apple has urgently rolled out security patches for iOS, iPadOS, macOS, and watchOS to rectify two exploited zero-day vulnerabilities linked to NSO Group’s Pegasus spyware.
Here’s a breakdown of the identified vulnerabilities:
CVE-2023-41061 – This involves a validation problem in the Wallet feature, which, when exposed to a malicious attachment, could lead to unintended code execution.
CVE-2023-41064 – The vulnerability of buffer overflow in the Image I/O module. It could execute arbitrary code upon interaction with a malicious image. Interestingly, while Citizen Lab, based at the University of Toronto’s Munk School, identified CVE-2023-41064, Apple unearthed CVE-2023-41061 with a “helping hand” from Citizen Lab.
These updates cater to:
iOS 16.6.1 and iPadOS 16.6.1 – Supporting iPhone 8 and newer, all models of iPad Pro, iPad Air from 3rd generation onwards, iPad from 5th generation onwards, and iPad mini starting from the 5th generation. macOS Ventura 13.5.2 – Those using macOS Ventura should install this update. WatchOS 9.6.2 – Compatible with Apple Watch Series 4 and newer models. Citizen Lab, in a separate notification, highlighted that these vulnerabilities have been manipulated through a no-click iMessage exploit sequence dubbed BLASTPASS, used to install Pegasus on up-to-date iPhones using iOS 16.6.
“The latest iOS version (16.6) of iPhones could be compromised by this issue without requiring any action from the device owner,” Citizen Lab elaborated. The technique involved sending the receiver malware PassKit packages from an intruder’s compromised iMessage service.
Though full technical details are currently withheld due to ongoing malicious use, it’s understood that the exploit manages to skirt around Apple’s BlastDoor sandbox mechanism, designed specifically to counter such no-click breaches.
Citizen Lab stated, “This recent discovery reaffirms that civil sectors continue to be at risk from advanced threats and contracted spyware.” They stumbled upon these issues last week during an inspection of a device owned by an anonymous individual working at a Washington, D.C.-based global civil organization.
To date, Apple has resolved 13 zero-day vulnerabilities this year. These new patches come shortly after Apple released solutions for another actively manipulated kernel issue (CVE-2023-38606).
In related news, amid the escalating tension of the Sino-U.S. trade conflict, China’s government is rumored to have imposed a ban on its central and state officials from utilizing iPhones and other foreign-brand gadgets for official purposes, emphasizing a reduced dependence on foreign tech.
Zuk Avraham, the founder of Zimperium and a security analyst, opined on X (previously known as Twitter): “The primary motive [behind the ban] is cybersecurity (unsurprisingly).” He added, “iPhones are perceived as ultra-secure… but the truth is, against basic espionage, they’re far from secure.” He cited the track record of companies like NSO and their numerous 0-click exploits over the years as a testament to the iPhone’s vulnerability to cyber espionage.