On Thursday, Apple urgently issued security patches for iOS, iPadOS, macOS, and watchOS. These updates were released in response to the exploitation of two previously unknown vulnerabilities in the wild. These flaws were utilized to deploy NSO Group's Pegasus spyware, often used for mercenary purposes.
Here are the described issues:
CVE-2023-41061: This concerns a validation problem within Wallet. It has the potential to lead to arbitrary code execution if a maliciously crafted attachment is processed.
CVE-2023-41064: This pertains to a buffer overflow problem within the Image I/O component. It could lead to arbitrary code execution when dealing with a maliciously crafted image.
CVE-2023-41064 was identified by the Citizen Lab at the University of Toronto's Munk School. On the other hand, CVE-2023-41061 was internally detected by Apple, with the Citizen Lab providing "assistance" in the process.
The available updates apply to the following devices and operating systems: iOS 16.6.1 and iPadOS 16.6.1:
Compatible with iPhone 8 and newer models, iPad Pro (all versions), iPad Air starting from the 3rd generation, iPad from the 5th generation onwards, and iPad mini from the 5th generation onwards.
macOS Ventura 13.5.2:
Applicable to macOS devices running macOS Ventura.
WatchOS 9.6.2:
Compatible with Apple Watch Series 4 and subsequent models.
In a distinct advisory, Citizen Lab disclosed that the dual vulnerabilities have been utilized in a zero-click iMessage exploit chain dubbed BLASTPASS. This exploit chain enables the deployment of Pegasus on iPhones that are fully updated with iOS 16.6.
Additionally, Due to ongoing exploitation, detailed technical information regarding these vulnerabilities has not been disclosed.
Nevertheless, it has been reported that the exploit has the capability to circumvent Apple's BlastDoor sandbox framework, which was designed to counteract zero-click attacks.
The cybersecurity experts at Kaspersky, a prominent Russian cybersecurity firm, have raised an alarm about an ongoing attack campaign. They assert that it exploits a zero-click, zero-day iMessage vulnerability.
Along with this, reports of these zero-day vulnerabilities coincide with indications that the Chinese government may have issued a directive. This directive is believed to enforce a ban, instructing central and state government officials to refrain from utilizing iPhones and other devices from foreign brands for official work. This move is seen as part of an effort to lessen dependence on international technology, especially in the midst of an intensifying trade dispute between China and the United States.