HomeTechnologyApple Rushes to Patch...

Apple Rushes to Patch Zero-Day Flaws Exploited for Pegasus Spyware on iPhones

Sep 08, 2023THNSpyware / Vulnerability

Apple on Thursday released emergency security updates for iOS, iPadOS, macOS, and watchOS to address two zero-day flaws that have been exploited in the wild to deliver NSO Group’s Pegasus mercenary spyware.

The issues are described as below –

  • CVE-2023-41061 – A validation issue in Wallet that could result in arbitrary code execution when handling a maliciously crafted attachment.
  • CVE-2023-41064 – A buffer overflow issue in the Image I/O component that could result in arbitrary code execution when processing a maliciously crafted image.

While CVE-2023-41064 was found by the Citizen Lab at the University of Torontoʼs Munk School, CVE-2023-41061 was discovered internally by Apple, with “assistance” from the Citizen Lab.


The updates are available for the following devices and operating systems –

In a separate alert, Citizen Lab revealed that the twin flaws have been weaponized as part of a zero-click iMessage exploit chain named BLASTPASS to deploy Pegasus on fully-patched iPhones running iOS 16.6.

“The exploit chain was capable of compromising iPhones running the latest version of iOS (16.6) without any interaction from the victim,” the interdisciplinary laboratory said. “The exploit involved PassKit attachments containing malicious images sent from an attacker iMessage account to the victim.”

Additional technical specifics about the shortcomings have been withheld in light of active exploitation. That said, the exploit is said to bypass the BlastDoor sandbox framework set up by Apple to mitigate zero-click attacks.

“This latest find shows once again that civil society is targeted by highly sophisticated exploits and mercenary spyware,” Citizen Lab said, adding the issues were found last week when examining the device of an unidentified individual employed by a Washington D.C.-based civil society organization with international offices.


Way Too Vulnerable: Uncovering the State of the Identity Attack Surface

Achieved MFA? PAM? Service account protection? Find out how well-equipped your organization truly is against identity threats

Supercharge Your Skills

Cupertino has so far fixed a total of 13 zero-day bugs in its software since the start of the year. The latest updates also arrive more than a month after the company shipped fixes for an actively exploited kernel flaw (CVE-2023-38606).

News of the zero-days comes as the Chinese government is believed to have ordered a ban prohibiting central and state government officials from using iPhones and other foreign-branded devices for work in an attempt to reduce reliance on overseas technology and amid an escalating Sino-U.S. trade war.

“The real reason [for the ban] is: cybersecurity (surprise surprise),” Zuk Avraham, security researcher and founder of Zimperium, said in a post on X (formerly Twitter). “iPhones have an image of being the most secure phone… but in reality, iPhones are not safe at all against simple espionage.”

“Don’t believe me? Just look at the number of 0-clicks commercial companies like NSO had over the years to understand that there is almost nothing an individual, an organization, or a government can do to protect itself against cyber espionage via iPhones.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Source link

Most Popular


Please enter your comment!
Please enter your name here

More from Author

Read Now

The New York Film Festival opens with the industry in limbo

Comment on this storyCommentNEW YORK — The New York Film Festival got off to a stylish start Friday night with a party at Central Park’s famed Tavern on the Green — or as stylish as you can get when none of the striking actors in this...

Live updates from Week 5 of college football

No. 6 Penn State 10, Northwestern 10 Early turnovers were always apart of Northwestern’s upset formula against top-10 Penn State, but even the most optimistic Wildcat fans likely couldn’t imagine forcing a turnover on the very first play.  After fielding the opening kickoff on a triple hop, Penn...

YouTube Music rolls out auto-downloads for podcasts

Following the news that Google Podcasts is shutting down next year, YouTube Music now has the ability to auto-download podcasts. To enable, visit a show page and tap the new settings gear icon to “Save/d to library.” This slides up the “Turn on auto-downloads” button and will...

Apple Says iPhone 15 Pro’s Titanium Frame Does Not Contribute to Overheating Issue

Apple today said it plans to release an iOS 17 software update with a bug fix for the iPhone 15 Pro and iPhone 15 Pro Max overheating issue, and the company has since shared additional details about the matter with MacRumors. Importantly, Apple said the issue is...

Beyonce in Final Talks to Release ‘Renaissance’ Concert Film Through AMC Theatres Following Taylor Swift Deal (EXCLUSIVE)

Mason Poole A film based on Beyonce‘s smash hit Renaissance World Tour is in advanced talks to distribute directly to AMC Theatres, sources with knowledge of the project told Variety. Mega-agency CAA held preliminary talks with major studios and streamers two weeks ago, another source added, urging...

These are the top 4 Club stocks — and the bottom 4 — during the third quarter

September, historically the worst month of the year for stocks, once again brought pain to Wall Street, sending the market lower for the third quarter. A steep rise in Treasury yields and oil prices, combined with fears that the Federal Reserve would keep interest rates "higher...

Apple Says iPhone 15 Pro Overheating Due to iOS 17 Bug, Not Hardware Design

Widespread complaints about overheating of the new iPhone 15 Pro and Pro Max can be traced to several factors, including a software bug in iOS 17, Apple told CNET on Saturday. The company said the new phones' titanium frame and aluminum substructure aren't contributing to the issue, and that...

Giants LT Thomas out; Saquon a game-time call

Jordan RaananESPN Staff WriterSep 30, 2023, 11:57 AM ET2 Minute ReadEAST RUTHERFORD, N.J. -- The New York Giants could be extremely short-handed Monday night with left tackle Andrew Thomas being ruled out and running back Saquon Barkley expected to be a game-day decision, according to coach...

Amy Schneider, historic ‘Jeopardy!’ champ, is more than a trivia buff

Comment on this storyCommentThe past two years have been a whirlwind for Amy Schneider. In late 2021, the trivia buff became a household name when she appeared on “Jeopardy!” and rattled off a remarkable 40-game winning streak — the second highest in the show’s history.Her success...