Apple deployed security updates on Thursday to fix actively exploited zero-day security flaws. These flaws, which were previously unknown to the tech giant, can be used to install malware through an attachment or "maliciously crafted image."
These exploits were reportedly used against a member of a civil society organization in Washington, DC, according to researchers who uncovered these vulnerabilities.
SINGAPORE, SINGAPORE - SEPTEMBER 24: An Apple logo is seen on the ground as people wait in line to purchase newly released products at the Apple Store at Orchard Road on September 24, 2021 in Singapore.
Malware Could Compromise Apple iPhones
Citizen Lab, an internet watchdog group specializing in investigating government malware, released a blog post outlining its recent discovery of these "Blastpass" bugs, which are also called "zero-click" or "clickless" vulnerabilities, indicating that the victim doesn't need to interact with any elements, like an attachment, for the hack to be successful.
This vulnerability was part of a more extensive exploit chain designed to deliver NSO Group's malware, commonly referred to as Pegasus.
Citizen Lab explained that the exploit chain could compromise iPhones running the latest version of iOS (16.6) without requiring any interaction from the victim.
Following their discovery, Citizen Lab promptly reported the vulnerability to Apple. In response, Apple issued a patch on Thursday, extending their thanks to Citizen Lab for their prompt reporting.
Apple's latest security updates cover three releases: watchOS 9.6.2, iOS 16.6.1 and iPadOS 16.6.1, and macOS Ventura 13.5.2. For watchOS 9.6.2, the update will address an issue in the Wallet app for Apple Watch Series 4 and newer models.
It resolves a validation problem associated with crafted attachments that could lead to arbitrary code execution. Apple said it is aware of reports indicating this issue may have been actively exploited.
In the case of iOS 16.6.1 and iPadOS 16.6.1, the update primarily focuses on ImageIO. This component is responsible for image processing on iPhone 8 and later models and various iPad models.
The update rectifies a buffer overflow issue related to the processing of maliciously crafted images. Apple also noted that there were reports of active exploitation.
The release also includes a patch for the Wallet app, addressing a validation issue linked to maliciously crafted attachments, which might result in arbitrary code execution.
macOS Ventura 13.5.2, the latest update for this operating system, also centers on ImageIO. The impact is similar, addressing a buffer overflow issue tied to processing manipulated images.
Apple and Citizen Lab Worked Together
Citizen Lab's discovery stemmed from a routine device check belonging to an individual working for a Washington, DC-based civil society organization with global offices.
The investigation unearthed an actively exploited zero-click vulnerability, a crucial component in the chain to deliver NSO Group's Pegasus spyware.
The researchers plan to delve deeper into the specifics of this exploit chain in forthcoming publications. Citizen Lab promptly communicated its findings to Apple and actively assisted in the investigation.
Apple reacted by issuing two Common Vulnerabilities and Exposures (CVEs) related to this exploit chain: CVE-2023-41064 and CVE-2023-41061. Citizen Lab stresses the importance of immediately updating devices to safeguard against potential risks.
It also encourages individuals facing elevated risks due to their roles or affiliations to activate Lockdown Mode, which is a protective measure that Apple's Security Engineering and Architecture team confirmed can thwart this specific attack.
Related Article: Apple Developers Invited for App Optimizing Workshop at Cupertino Center: Opportunity to Go to Apple HQ?
