Apple has released emergency security updates for its operating systems, including iOS [1], iPadOS [3] [4] [6], macOS [4] [6], and watchOS [4] [6], in response to two critical zero-day vulnerabilities. These vulnerabilities, known as CVE-2023-41064 and CVE-2023-41061 [2] [6], were discovered by Citizen Lab and have been actively exploited in the wild.
Description
These vulnerabilities, also referred to as “BLASTPASS,” allow attackers to execute malicious code through a specially crafted image or attachment. They were used to deliver the NSO Group’s Pegasus spyware [6], enabling remote installation of malware on fully-patched iPhones running iOS 16.6 without any interaction from the victim. The attack involved sending malicious images through iMessage [5].
Apple promptly issued updates to address these vulnerabilities across all their platforms, including Safari [6], Messages [4] [5] [6], WhatsApp [6], and other first- and third-party apps [6]. Additionally, Apple has taken legal action against NSO Group, a blacklisted Israeli firm [7], for their spyware attacks on users [7]. The US government has also placed NSO Group on an export blacklist and issued an executive order banning government use of any commercial spyware previously misused by foreign states [7].
It is crucial for all iOS users to update their devices to ensure additional security measures. This year alone, Apple has fixed a total of 13 zero-day bugs [4]. Citizen Lab has revealed that highly sophisticated exploits and mercenary spyware specifically target civil society. Experts emphasize the risk posed by these vulnerabilities, as they can allow attackers to run malicious code and gain access to sensitive user information [3].
Users are advised to exercise caution when dealing with email attachments and random images [3], enable automatic updates [3], and consider enabling Apple’s Lockdown Mode [3]. Apple’s release of iOS 16.6.1, an emergency update [1] [3], addresses these serious flaws that are already being exploited in real-life attacks [1]. The first flaw [1], CVE-2023-41064 [1] [2] [3] [4] [5] [6] [7], affects ImageIO and allows adversaries to execute code through a maliciously crafted image [1]. The second flaw [1], CVE-2023-41061 [1] [2] [3] [4] [5] [6] [7], affects Apple’s Wallet and allows attackers to execute code through a maliciously crafted attachment [1]. These vulnerabilities have been used to deliver spyware [1], including the Pegasus malware [1], which grants attackers complete access to iPhones [1]. Citizen Lab has named this exploit “BLASTPASS.” It can compromise iPhones running iOS 16.6 without any interaction from the victim [1]. These exploits are typically targeted at individuals with high threat models [1], such as public figures or government employees. The iOS 16.6.1 update is significant enough to be released ahead of the major iOS 17 update [1].
Conclusion
The release of emergency security updates by Apple highlights the seriousness of the zero-day vulnerabilities and the active exploitation of these flaws in the wild. It is essential for iOS users to update their devices promptly to protect against potential attacks. The legal action taken against NSO Group and the government’s measures to blacklist and ban the use of commercial spyware demonstrate the gravity of the situation. Moving forward, it is crucial for users to exercise caution when handling email attachments and random images, enable automatic updates [3], and consider additional security measures such as Apple’s Lockdown Mode. The timely release of iOS 16.6.1 addresses the vulnerabilities and provides necessary protection for users, underscoring the importance of ongoing vigilance in the face of evolving threats.
References
[1] https://www.forbes.com/sites/kateoflahertyuk/2023/09/09/ios-1661-update-now-warning-issued-to-all-iphone-users/
[2] https://www.scmagazine.com/news/apple-issues-two-cves-to-patch-zero-day-flaws-used-to-deliver-pegasus-spyware
[3] https://www.computerweekly.com/news/366551552/Apple-patches-Blastpass-exploit-abused-by-spyware-makers
[4] https://thehackernews.com/2023/09/apple-rushes-to-patch-zero-day-flaws.html
[5] https://allinfosecnews.com/item/apple-patches-two-zero-days-under-attack-cve-2023-41064-cve-2023-41061-2023-09-08/
[6] https://arstechnica.com/gadgets/2023/09/apple-patches-clickless-0-day-image-processing-vulnerability-in-ios-macos/
[7] https://www.infosecurity-magazine.com/news/apple-patches-two-zerodays-pegasus/
