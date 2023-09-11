Ola Kulanakauhale

Ke wehe nei i nā ʻenehana hou a me ka mana o AI

Kauoha ʻo CISA i nā ʻoihana Pekelala e hoʻopaʻa i ka Zero-Day iMessage Exploit Targeting iPhones

Sep 11, 2023
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an order for federal agencies to patch security vulnerabilities that were exploited as part of a zero-click iMessage exploit chain. These vulnerabilities were used to infect iPhones with the Pegasus spyware developed by NSO Group. This action follows the disclosure by Citizen Lab that fully-patched iPhones belonging to a civil society organization in Washington DC were compromised using an exploit chain called BLASTPASS, which utilized PassKit attachments containing malicious images.

Citizen Lab has also cautioned Apple customers to immediately apply emergency updates that were released on Thursday. They have further urged individuals who may be susceptible to targeted attacks due to their identity or occupation to enable Lockdown Mode.

The two vulnerabilities, known as Image I/O and Wallet, have been tracked as CVE-2023-41064 and CVE-2023-41061 respectively. Apple acknowledged the report of active exploitation and has since released fixes for these vulnerabilities in the latest versions of macOS Ventura, iOS, iPadOS, and watchOS. These updates address the memory handling and logic issues that allowed attackers to execute arbitrary code on devices that had not been patched.

CISA has included these two security flaws in its Known Exploited Vulnerabilities catalog, stating that they are frequently targeted by malicious cyber actors and pose significant risks to the federal enterprise. As a result, U.S. Federal Civilian Executive Branch Agencies (FCEB) are required to patch all vulnerabilities listed in the catalog within a specified timeframe, according to a binding operational directive (BOD 22-01) published in November 2022. In light of this update, federal agencies must secure vulnerable iOS, iPadOS, and macOS devices on their networks against CVE-2023-41064 and CVE-2023-41061 by October 2nd, 2023.

Although the directive primarily applies to U.S. federal agencies, CISA strongly advises private companies to prioritize the patching of these vulnerabilities as soon as possible. Apple has been actively addressing zero-day vulnerabilities in its operating systems this year, with a total of 13 exploits being fixed since January 2023.

– Zero-click exploit: A type of cyber attack where no user interaction is required for the vulnerability to be exploited.
– iMessage: A messaging platform developed by Apple for its devices.
– Spyware: Malicious software designed to secretly gather information from a target device or computer.

