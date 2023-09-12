逸耘居

美国网络安全和基础设施安全局敦促联邦机构修补已知的苹果缺陷

By加布里埃尔博塔

12 年 2023 月 XNUMX 日
The US Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning to federal agencies, urging them to update their iOS, iPadOS, and macOS devices within a month. This is in response to the discovery of two zero-day vulnerabilities in Apple products that could potentially be exploited by spyware attacks.

The first vulnerability, known as CVE-2023-41064, is a buffer overflow vulnerability in ImageIO. It occurs when processing a specially crafted image and could lead to code execution. The second vulnerability, CVE-2023-41061, is a validation issue in Apple Wallet. A maliciously crafted attachment could result in code execution.

Citizen Lab, a non-profit organization, recently discovered these vulnerabilities as part of an exploit chain called “BlastPass.” This chain was used to deliver the Pegasus spyware to an employee of a Washington-based civil society organization. Citizen Lab revealed that the exploit utilized PassKit attachments containing malicious images sent via iMessage.

While it is unclear who authorized these attacks, there is concern that they could also be used to target US government officials if carried out by a hostile nation. In the past, similar spyware attacks have been reported, with nine US State Department officials having their iPhones remotely hacked in 2021.

Apple has decided to take legal action against the Israeli firm NSO Group, who is believed to be responsible for developing and selling the Pegasus spyware. NSO Group claims that its products are intended for legitimate law enforcement and intelligence gathering purposes.

To mitigate the risk of spyware attacks, federal agencies have until October 2 to patch the discovered vulnerabilities through official vendor updates. Failure to do so may result in the discontinuation of using these Apple products.

来源：
– “The US Cybersecurity and Infrastructure Security Agency (CISA) Urges Immediate Patch of Known Apple Vulnerabilities” – CISA
– “BlastPass: Zero-Click Mobile Exploitation of Apple’s iMessage” – Citizen Lab

