Apple released emergency security patch for its operating systems on Thursday to fix two zero-day flaws exploited in the wild to deliver the notorious Pegasus spyware.
Update Your Apple Device Now!
The Citizen Lab discovered CVE-2023-41064, while Apple internally found CVE-2023-41061 with assistance from Citizen Lab.
In a recent report, Citizen Lab disclosed that two vulnerabilities have been exploited through a zero-click iMessage attack named BLASTPASS, allowing Pegasus to be installed on iOS 16.6 iPhones that are fully patched.
We refer to the exploit chain as BLASTPASS. The exploit chain was capable of compromising iPhones running the latest version of iOS (16.6) without any interaction from the victim.
The exploit involved PassKit attachments containing malicious images sent from an attacker iMessage account to the victim.
We expect to publish a more detailed discussion of the exploit chain in the future.
Here is a clearer description of the issues:
- CVE-2023-41061: A vulnerability in Wallet that allows arbitrary code execution via a malicious attachment.
- CVE-2023-41064: A buffer overflow in the Image I/O component may allow attackers to execute arbitrary code via a malicious image.
The following devices and operating systems are eligible for updates:
ImageIO
Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later
Impact: Processing a maliciously crafted image may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
Description: A buffer overflow issue was addressed with improved memory handling.
CVE-2023-41064: The Citizen Lab at The University of Torontoʼs Munk School
Wallet
Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later
Impact: A maliciously crafted attachment may result in arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
Description: A validation issue was addressed with improved logic.
CVE-2023-41061: Apple
ImageIO
Available for: macOS Ventura
Impact: Processing a maliciously crafted image may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
Description: A buffer overflow issue was addressed with improved memory handling.
CVE-2023-41064: The Citizen Lab at The University of Torontoʼs Munk School
Wallet
Available for: Apple Watch Series 4 and later
Impact: A maliciously crafted attachment may result in arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
Description: A validation issue was addressed with improved logic.
CVE-2023-41061: Apple
Due to active exploitation, additional technical details about the vulnerabilities are being withheld. However, it has been reported that the exploit can bypass Apple’s BlastDoor sandbox framework, which is designed to prevent zero-click attacks.
Since the beginning of this year, Cupertino has resolved 13 zero-day bugs in its software. The latest updates have been released after more than a month since the company provided fixes for a kernel flaw (CVE-2023-38606) that was being actively exploited.
Recently, multiple zero-day vulnerabilities were found in the iPhone operating system. Amidst escalating trade tensions between China and the United States, the Chinese government banned using foreign-branded devices, including iPhones, for work by central and state government officials to reduce reliance on overseas technology.
Mobile and Security Researcher ZUK said,
The real reason is: cyber security (surprise surprise). iPhones have an image of being the most secure phone… but in reality, iPhones are not safe at all against simple espionage. Don’t believe me? Just look at the number of 0-clicks commercial companies like NSO had over the years to understand that there is almost nothing an individual, an organization, or a government can do to protect itself against cyber espionage via iPhones.
It’s not that the alternative, Android, is much better.