A white mobile phone displaying a locked user interface.

Apple Addresses Critical Zero-Day Vulnerabilities Targeted by Pegasus Spyware

Apple has released critical security updates for its iOS, iPadOS, macOS, and watchOS operating systems to address two zero-day vulnerabilities that have been exploited in the wild to deliver Pegasus spyware.

Pegasus spyware, developed and sold by the Israeli company NSO Group, is a powerful tool that can be used to remotely monitor a target’s phone, including their calls, messages, and location. Targets include journalists, politicians, and a variety of other people. It is used by both commercial and public organisations for surveillance reasons.

CVE-2023-41064 and CVE-2023-41061 are two zero-day vulnerabilities that have been disclosed by Apple. Both vulnerabilities may have been actively exploited, and Apple is aware of this. This might have resulted in the execution of malicious code.

The Citizen Lab at the Munk School of the University of Toronto discovered CVE-2023-41064. Apple, on the other hand, found CVE-2023-41061 internally with the help of Citizen Lab.

According to Citizen Lab in a report:

We refer to the exploit chain as BLASTPASS. The exploit chain was capable of compromising iPhones running the latest version of iOS (16.6) without any interaction from the victim. The exploit involved PassKit attachments containing malicious images sent from an attacker iMessage account to the victim.

Apple customers are strongly advised to upgrade their devices right away, according to Citizen Lab. Additionally, they have urged people to switch on Lockdown Mode if they are at danger of targeted attacks because of their identity or line of work. Through a joint effort between Apple and security researchers from Citizen Lab, two zero-day vulnerabilities in the Image I/O and Wallet frameworks were discovered.

The iMessage bug that compromises Apple's BlastDoor security
The iMessage bug that compromises Apple’s BlastDoor security (Bill Marczak)

According to NIST, CVE-41064, a buffer overflow vulnerability, was resolved with enhanced memory handling in macOS Ventura 13.5.2, iOS 16.6.1, and iPadOS 16.6.1. When processing a malicious picture, this vulnerability might lead to remote code execution. CVE-41061, a validation vulnerability, was fixed with improved logic in Apple watchOS 9.6.2, iOS 16.6.1, and iPadOS 16.6.1, where a malicious attachment may cause remote code execution.

These zero-day vulnerabilities have come to light at the same time as information claiming that China’s government has put a ban in place. The use of iPhones and other devices with foreign brands for official purposes is prohibited for central and state government employees.

The goal of this instruction, which was issued against the backdrop of an escalating trade war between China and the United States, is to lessen reliance on foreign technology.

According to John Gallagher, Vice President of Viakoo Labs, the issue mostly affects certain individuals rather than the overall community. Gallagher recommended prospective spyware targets to enable lockdown mode in accordance with Citizen Lab’s recommendations. According to Saeed Abbasi, Qualys’ Manager of Vulnerability and Threat Research, these extremely sophisticated, precise assaults often target specific persons or groups and may involve well-resourced and experienced entities.

Help your colleagues keep a security-first mindset and boost your human firewall by starting your Phishing Tackle security awareness training today with our two-week free trial.

Recent posts