No Phone is Safe? Apple’s Latest Security Patches 

Reading Time: ( Word Count: )

September 8, 2023
Nextdoorsec-course

Apple has urgently rolled out security patches for iOS, iPadOS, macOS, and watchOS to rectify two exploited zero-day vulnerabilities linked to NSO Group’s Pegasus spyware.

Here’s a breakdown of the identified vulnerabilities:

CVE-2023-41061 – This involves a validation problem in the Wallet feature, which, when exposed to a malicious attachment, could lead to unintended code execution. 

CVE-2023-41064 – The vulnerability of buffer overflow in the Image I/O module. It could execute arbitrary code upon interaction with a malicious image. Interestingly, while Citizen Lab, based at the University of Toronto’s Munk School, identified CVE-2023-41064, Apple unearthed CVE-2023-41061 with a “helping hand” from Citizen Lab.

Also Read: Recent Hot Wallet Breaches Stir Concern in the Crypto World

These updates cater to:

iOS 16.6.1 and iPadOS 16.6.1 – Supporting iPhone 8 and newer, all models of iPad Pro, iPad Air from 3rd generation onwards, iPad from 5th generation onwards, and iPad mini starting from the 5th generation. macOS Ventura 13.5.2 – Those using macOS Ventura should install this update. WatchOS 9.6.2 – Compatible with Apple Watch Series 4 and newer models. Citizen Lab, in a separate notification, highlighted that these vulnerabilities have been manipulated through a no-click iMessage exploit sequence dubbed BLASTPASS, used to install Pegasus on up-to-date iPhones using iOS 16.6.

Apple's Latest Security Patches

“The latest iOS version (16.6) of iPhones could be compromised by this issue without requiring any action from the device owner,” Citizen Lab elaborated. The technique involved sending the receiver malware PassKit packages from an intruder’s compromised iMessage service.

Though full technical details are currently withheld due to ongoing malicious use, it’s understood that the exploit manages to skirt around Apple’s BlastDoor sandbox mechanism, designed specifically to counter such no-click breaches.

Citizen Lab stated, “This recent discovery reaffirms that civil sectors continue to be at risk from advanced threats and contracted spyware.” They stumbled upon these issues last week during an inspection of a device owned by an anonymous individual working at a Washington, D.C.-based global civil organization.

To date, Apple has resolved 13 zero-day vulnerabilities this year. These new patches come shortly after Apple released solutions for another actively manipulated kernel issue (CVE-2023-38606).

In related news, amid the escalating tension of the Sino-U.S. trade conflict, China’s government is rumored to have imposed a ban on its central and state officials from utilizing iPhones and other foreign-brand gadgets for official purposes, emphasizing a reduced dependence on foreign tech.

Zuk Avraham, the founder of Zimperium and a security analyst, opined on X (previously known as Twitter): “The primary motive [behind the ban] is cybersecurity (unsurprisingly).” He added, “iPhones are perceived as ultra-secure… but the truth is, against basic espionage, they’re far from secure.” He cited the track record of companies like NSO and their numerous 0-click exploits over the years as a testament to the iPhone’s vulnerability to cyber espionage.

Saher Mahmood

Saher Mahmood

Author

Saher is a cybersecurity researcher with a passion for innovative technology and AI. She explores the intersection of AI and cybersecurity to stay ahead of evolving threats.

Other interesting articles

Automated vs Manual Penetration Testing

Automated vs Manual Penetration Testing

Pentesting is largely divided into two methodologies: Automated vs Manual Penetration Testing. Both have ...
8 Steps in Penetration Testing You Should Know

8 Steps in Penetration Testing You Should Know

Mastering the art of penetration testing has become a critical ability for security experts to combat cyber ...
Spear Phishing vs Whaling: What is the Difference

Spear Phishing vs Whaling: What is the Difference

Spear phishing is a particularly devious type of phishing assault in which the individual targeted plays a ...
How Often Should Penetration Testing Be Done

How Often Should Penetration Testing Be Done

Penetration testing is a crucial technique that involves simulating a cyberattack on networks, computer systems, ...
0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *