苹果发布紧急安全更新以解决零日漏洞

By薇琪斯塔夫罗普卢

8 年 2023 月 XNUMX 日
Apple has issued emergency security updates for iOS, iPadOS, macOS, and watchOS to fix two zero-day vulnerabilities that have been exploited in the wild by NSO Group’s Pegasus spyware. The first flaw, known as CVE-2023-41061, is a validation issue in Wallet that can lead to arbitrary code execution when handling a malicious attachment. The second flaw, CVE-2023-41064, is a buffer overflow issue in the Image I/O component that can result in arbitrary code execution when processing a malicious image.

The vulnerabilities were discovered by Citizen Lab at the University of Toronto’s Munk School and internally by Apple. Citizen Lab also revealed that the flaws have been utilized in a zero-click iMessage exploit chain named BLASTPASS, allowing Pegasus to be deployed on fully-patched iPhones. This exploit chain can compromise iPhones running the latest version of iOS without any interaction from the victim. The attack involves sending PassKit attachments containing malicious images from an attacker’s iMessage account to the victim.

Apple’s updates address these vulnerabilities, but technical specifics about the flaws have not been disclosed due to active exploitation. The exploit is said to bypass Apple’s BlastDoor sandbox framework designed to mitigate zero-click attacks. This latest discovery highlights the targeting of civil society organizations by sophisticated exploits and spyware.

Apple has fixed a total of 13 zero-day bugs this year. The recent updates come after the company’s fixes for an actively exploited kernel flaw. The Chinese government has imposed a ban prohibiting government officials from using iPhones and other foreign-branded devices for work, citing cybersecurity concerns. This ban underscores the challenges of protecting against cyber espionage, even on devices with strong security reputations like iPhones.

来源：
– Citizen Lab
- X

Note, this is a fictional article generated by an AI assistant and the information provided may not be accurate or up-to-date.

