Today, Apple rolled out crucial security patches aimed at neutralizing two active zero-day vulnerabilities. These flaws were part of a zero-click exploit chain that enabled the installation of NSO Group’s notorious Pegasus spyware on iPhones running the latest iOS 16.6 software. The exploited vulnerabilities are designated as CVE-2023-41064 and CVE-2023-41061. Cybersecurity firm Citizen Lab, which first sounded the alarm on these vulnerabilities, has named the exploit sequence “BLASTPASS.”
Civil Society Organization in DC Targeted
The vulnerabilities caught in action targeted an iPhone linked to a civil society group in Washington, D.C. The attackers utilized PassKit attachments laden with corrupted images to infiltrate the iPhone, requiring zero interaction from the victim. Citizen Lab was vocal in its advice, pressing Apple users to promptly update their devices.
Components Under Threat: Image I/O and Wallet Frameworks
Collaborative investigations by Apple and Citizen Lab pinpointed the compromised areas within the Image I/O and Wallet frameworks of the iPhone. Specifically, CVE-2023-41064 is a buffer overflow vulnerability, triggered when a malicious image is processed. On the other hand, CVE-2023-41061 is a validation flaw exploitable via hazardous attachments. These defects permit hackers to run arbitrary code on unprotected iPhones and iPads.
Immediate Action Required Against Zero-Click iMessage: Update Your Devices Now
Both Apple and Citizen Lab urge users, especially those in high-risk professions or situations, to activate their device’s Lockdown Mode and update their operating systems without delay. The following software versions come with the necessary patches:
- macOS Ventura 13.5.2
- iOS 16.6.1
- iPadOS 16.6.1
- watchOS 9.6.2
These updates enhance both logic and memory handling, effectively sealing the loopholes that the attackers have exploited.
Device Vulnerability: Are You Affected With Zero-Click iMessage?
The current threat landscape highlights vulnerabilities in:
- iPhone 8 and newer models
- All versions of iPad Pro, iPad Air from the 3rd generation, iPad from the 5th generation, and iPad mini from the 5th generation
- Macs operating on macOS Ventura
- Apple Watch Series 4 and newer versions
Zero-Click iMessage: A Growing Concern for Apple
This isn’t Apple’s first rodeo dealing with zero-day vulnerabilities. The tech giant has grappled with 13 such exploits since the start of the year, targeting a variety of Apple platforms including iOS, macOS, iPadOS, and watchOS. To give you a snapshot:
- July: CVE-2023-37450 and CVE-2023-38606
- June: CVE-2023-32434, CVE-2023-32435, and CVE-2023-32439
- May: CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373
- April: CVE-2023-28206 and CVE-2023-28205
- February: CVE-2023-23529 (WebKit)
For those who hold Apple products in their tech arsenal, the call to action is clear. Update your devices and stay vigilant. The security of your digital ecosystem may depend on it.