Apple, in a rapid response to emerging threats, rolled out emergency security patches across several platforms on Thursday. This decision came in the wake of discoveries that two zero-day vulnerabilities were being exploited to deliver the NSO Group’s notorious Pegasus spyware onto iPhones.
Details on the Vulnerabilities
The vulnerabilities in question are as follows:
- CVE-2023-41061: This pertains to a validation flaw within the Wallet app. When a malicious attachment is handled, it could lead to arbitrary code execution.
- CVE-2023-41064: Rooted in the Image I/O component, this buffer overflow issue could result in arbitrary code execution if a maliciously crafted image is processed.
CVE-2023-41064 was identified by the Citizen Lab from the University of Torontoʼs Munk School, while Apple itself detected CVE-2023-41061, albeit with input from the Citizen Lab.
Devices and OS Affected
Apple’s security updates encompass:
- iOS 16.6.1 and iPadOS 16.6.1: iPhone 8 and onwards, all iPad Pro models, iPad Air (3rd generation onwards), iPad (5th generation onwards), and iPad mini (5th generation onwards).
- macOS Ventura 13.5.2: All macOS devices operating on macOS Ventura.
- watchOS 9.6.2: Apple Watch Series 4 and subsequent models.
In a parallel announcement, Citizen Lab revealed that these vulnerabilities were manipulated in a zero-click iMessage exploit chain, codenamed BLASTPASS, to install Pegasus on iPhones even with the latest iOS 16.6 version.
According to Citizen Lab, this exploit chain was “capable of compromising iPhones with the latest iOS without any victim interaction.” The compromise was orchestrated using PassKit attachments that contained malicious images, sent via an attacker’s iMessage account.
For the security and privacy of users, detailed technical specifics are currently withheld due to the active exploitation of these vulnerabilities. However, it’s crucial to note that the exploit has been found to bypass Apple’s BlastDoor sandbox framework, designed specifically to deter zero-click attacks.
Citizen Lab highlighted the severity of the situation, stating, “This recent discovery reaffirms that civil society faces threats from advanced exploits and spyware.” They came upon these vulnerabilities during an analysis of a device belonging to an unnamed individual associated with a civil society organization in Washington D.C. with international branches.
Apple’s Track Record for the Year
This recent action by Apple marks their tackling of a total of 13 zero-day vulnerabilities since the year’s commencement. It follows closely on the heels of their rectification of a kernel flaw (CVE-2023-38606) just over a month ago.
In related news, amidst an intensifying Sino-U.S. trade dispute, the Chinese government has reportedly instructed its central and state officials to desist from using iPhones and other foreign-branded gadgets. This move is speculated to be an effort to diminish dependency on foreign tech.
Zuk Avraham, a security researcher and founder of Zimperium, commented on the event, suggesting that while iPhones are perceived as ultra-secure devices, they might not be invulnerable to simple espionage. He pointed towards the multiple zero-click vulnerabilities that companies like NSO have exploited over the years as evidence of the iPhone’s vulnerability to cyber espionage.
The cyber landscape is continually evolving, with threats becoming more sophisticated. It underscores the importance for tech giants like Apple to remain vigilant and proactive in safeguarding user data and privacy.
Protect Your Business With Isogent’s Synchronized Security Stack
With Isogent’s Synchronized Security Stack, your organization will be protected from every type of cyberattack and threat. Set up a technology or security assessment today with one of our experts to see how protected your business really is.