Apple has released security patches for iOS, iPadOS, macOS, and watchOS to address two zero-day holes used to distribute Pegasus spyware from NSO Group.
The problems are listed below:
- CVE-2023-41061 - A validation flaw in Wallet that, when handled by a maliciously designed attachment, might lead to arbitrary code execution.
- When processing a maliciously created image, CVE-2023-41064, a buffer overflow flaw in the Image I/O component, might lead to arbitrary code execution.
- CVE-2023-41061 was identified internally by Apple with "assistance" from the Citizen Lab, whereas CVE-2023-41064 was discovered by the Citizen Lab at the Munk School of the University of Toronto.
- The updates are available for the following devices and operating systems -iOS 16.6.1 and iPadOS 16.6.1 - iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later
- macOS Ventura 13.5.2 - macOS devices running macOS Ventura
- watchOS 9.6.2 - Apple Watch Series 4 and later
Citizen Lab has discovered twin flaws in a zero-click iMessage exploit chain called BLASTPASS, which can deploy Pegasus on fully-patched iPhones running iOS 16.6 without any interaction from the victim. The exploit involves PassKit attachments containing malicious images sent from an attacker iMessage account to the victim. Technical details about the shortcomings have been withheld due to active exploitation, but the exploit bypasses Apple's BlastDoor sandbox framework to mitigate zero-click attacks.
While studying an unnamed device belonged to a Washington, D.C.-based civil society organization with foreign offices, Citizen Lab disclosed a recent discovery that mercenary malware and sophisticated exploits are targeting civil society.
Since the beginning of the year, Cupertino has repaired 13 zero-day defects in its software, more than a month after addressing an exploited kernel issue. The zero-days coincide with the Chinese government's decision to forbid the use of foreign-branded devices for work, which reduces reliance on foreign technology and intensifies the Sino-American trade war.
The Chinese government has banned iPhones and other foreign-branded devices for government officials to reduce reliance on overseas technology and amid the Sino-U.S. trade war. Security researcher Zuk Avraham claims that iPhones are not safe against simple espionage, despite their reputation as the most secure phone. He cites the number of 0-clicks commercial companies have experienced over the years, highlighting the lack of protection against cyber espionage via iPhones.
