Important Apple update to close a zero-day

Yesterday (Thursday 7 September 2023) Apple released emergency security updates for iOS, iPadOS, macOS and watchOS to address two zero-day flaws that were exploited to spread NSO Group’s Pegasus spyware.

After the problems it had a few months ago, Apple finds itself still fighting against a spyware called Pegasus from NSO Group which exploits two zero-day flaws.

The problems are described below:

  • CVE-2023-41061- A validation issue in Wallet that could lead to arbitrary code execution when handling a malicious attachment.
  • CVE-2023-41064- A buffer overflow issue in the Image I/O component that may lead to arbitrary code execution when processing a maliciously crafted image.

While CVE-2023-41064 was found by the Citizen Lab at the University of Toronto’s Munk School, CVE-2023-41061 was discovered internally by Apple , with “assistance” from the Citizen Lab.

Updates are available for the following devices and operating systems:

  • iOS 16.6.1 and iPadOS 16.6.1 – iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later
  • macOS Ventura 13.5 . 2 : macOS devices running macOS Ventura
  • watchOS 9.6.2 – Apple Watch Series 4 and later

In a separate alert, Citizen Lab revealed that the twin flaws were weaponized as part of a zero-click iMessage exploit chain called BLASTPASS, which served to deploy Pegasus to fully patched iPhones on iOS 16.6.

“The exploit chain was able to compromise iPhones running the latest version of iOS (16.6) without any interaction from the victim,” the interdisciplinary lab said . “The exploit involved PassKit attachments containing malicious images sent from an attacker’s iMessage account to the victim.”

Other technical specifications on the various flaws have been omitted in light of ongoing exploitation of the flaws by hackers. That said, the exploit is said to bypass the BlastDoor sandbox framework created by Apple to limit zero-click attacks .

“This latest discovery shows once again that Civil society is targeted by highly sophisticated attacks and high-performance spyware” Citizen Lab said, adding that the problems were discovered last week while examining the device of an unidentified individual employed at an organization based in Washington DC and with other international locations.

Apple has so far fixed a total of 13 zero-day bugs on its software since the beginning of the year. The latest updates come more than a month after the company released fixes for an actively exploited kernel flaw.

The news of zero-days arrives at the same time as the news that the Chinese government has ordered a ban prohibiting central and state government officials from using iPhones and other foreign-branded devices for work, in an effort to reduce dependence on foreign technology and amid a growing trade crisis between China he uses

“The real reason (for the ban) is: cybersecurity,” Zuk Avraham, security researcher and founder of Zimperium, said in a post on X (formerly Twitter). “The iPhone has the image of being the most secure phone… but in reality the iPhone is not secure at all against simple spying.”

“Don’t believe me? You only need to look at the number of zero-click exploits that commercial companies like NSO have had at their disposal over the years, to understand that there is almost nothing that an individual, an organization or a government can do to protect yourself from cyber espionage via iPhone.”