Apple on Thursday released emergency security updates for iOS, iPadOS, macOS, and watchOS to address two zero-day flaws that have been exploited in the wild to deliver NSO Group's Pegasus mercenary spyware.
The issues are described as below -
- CVE-2023-41061 - A validation issue in Wallet that could result in arbitrary code execution when handling a maliciously crafted attachment.
- CVE-2023-41064 - A buffer overflow issue in the Image I/O component that could result in arbitrary code execution when processing a maliciously crafted image.
While CVE-2023-41064 was found by the Citizen Lab at the University of Torontoʼs Munk School, CVE-2023-41061 was discovered internally by Apple, with "assistance" from the Citizen Lab.
The updates are available for the following devices and operating systems -
- iOS 16.6.1 and iPadOS 16.6.1 - iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later
- macOS Ventura 13.5.2 - macOS devices running macOS Ventura
- watchOS 9.6.2 - Apple Watch Series 4 and later
In a separate alert, Citizen Lab revealed that the twin flaws have been weaponized as part of a zero-click iMessage exploit chain named BLASTPASS to deploy Pegasus on fully-patched iPhones running iOS 16.6.
"The exploit chain was capable of compromising iPhones running the latest version of iOS (16.6) without any interaction from the victim," the interdisciplinary laboratory said. "The exploit involved PassKit attachments containing malicious images sent from an attacker iMessage account to the victim."
Additional technical specifics about the shortcomings have been withheld in light of active exploitation. That said, the exploit is said to bypass the BlastDoor sandbox framework set up by Apple to mitigate zero-click attacks.
"This latest find shows once again that civil society is targeted by highly sophisticated exploits and mercenary spyware," Citizen Lab said, adding the issues were found last week when examining the device of an unidentified individual employed by a Washington D.C.-based civil society organization with international offices.
Cupertino has so far fixed a total of 13 zero-day bugs in its software since the start of the year. The latest updates also arrive more than a month after the company shipped fixes for an actively exploited kernel flaw (CVE-2023-38606).
News of the zero-days comes as the Chinese government is believed to have ordered a ban prohibiting central and state government officials from using iPhones and other foreign-branded devices for work in an attempt to reduce reliance on overseas technology and amid an escalating Sino-U.S. trade war.
"The real reason [for the ban] is: cybersecurity (surprise surprise)," Zuk Avraham, security researcher and founder of Zimperium, said in a post on X (formerly Twitter). "iPhones have an image of being the most secure phone... but in reality, iPhones are not safe at all against simple espionage."
"Don't believe me? Just look at the number of 0-clicks commercial companies like NSO had over the years to understand that there is almost nothing an individual, an organization, or a government can do to protect itself against cyber espionage via iPhones."