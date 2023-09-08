A zero-click, zero-day vulnerability targeting Apple devices has recently been discovered, resulting in the delivery of the notorious Pegasus spyware to iPhones. The exploit, known as BLASTPASS, bypasses even the latest version of iOS (16.6) by utilizing PassKit attachments containing malicious images. Once these attachments are sent to the victim’s iMessage account, the NSO Group’s Pegasus spyware can be deployed without any interaction required.

The research team at Citizen Lab promptly notified Apple after discovering an infected device belonging to an individual employed by a civil society organization based in Washington DC, with international outreach. In response, Apple quickly assigned two Common Vulnerabilities and Exposures (CVE) identifiers to the exploit chain – CVE-2023-41064 and CVE-2023-41061 – and released updates for iOS and iPadOS. Users at risk were advised to enable Lockdown Mode, which effectively blocks the attack.

While further details regarding the exploit chain are yet to be provided by Citizen Lab, Apple’s release notes shed some light on the vulnerabilities. CVE-2023-41064 is attributed to a buffer overflow issue in ImageIO, where processing a maliciously crafted image can lead to arbitrary code execution. Meanwhile, the Wallet app was impacted by CVE-2023-41061 due to a maliciously crafted attachment, which was addressed by Apple through improved logic for validation.

Pegasus spyware, developed by Israel’s NSO Group, is a highly controversial tool that claims to be exclusively sold to legitimate government agencies. Once installed, this spyware can monitor calls, messages, and utilize the phone’s camera. Despite NSO Group’s claims of licensing the spyware to combat criminals, its use has raised concerns among lawmakers and privacy activists. Citizen Lab previously discovered the presence of Pegasus on devices within the UK government.

To safeguard against these exploits, it is crucial to update iOS and iPadOS devices immediately. Apple’s swift response and patch cycle, combined with the collaboration of the victimized organization, have been commended by Citizen Lab for their efforts to address this vulnerability.

Definicions:

Zero-day vulnerability: A software vulnerability that is discovered by threat actors before it is known to the software vendors or developers, potentially allowing for unauthorized access or malicious activities.

Exploit: A piece of software, code, or technique that takes advantage of a vulnerability in a system, application, or software to accomplish malicious actions or gain unauthorized access.

Pegasus spyware: A powerful spyware tool developed by the NSO Group that can covertly infiltrate and monitor various aspects of a target device, including calls, messages, and camera usage.

PassKit: A service provided by Apple that allows for the distribution of passes, such as tickets, coupons, and membership cards, through the user’s Apple Wallet application.

CVE (Common Vulnerabilities and Exposures): A standardized identifier assigned to a specific vulnerability or security issue for the purpose of tracking and reference.

Sources: Citizen Lab, Apple release notes