The Information Highway

The Information Highway

Font size: +
2 minutes reading time (382 words)

Apple zero-click iMessage exploit used to infect iPhones with spyware

Citizen Lab says two zero-days fixed by Apple today in emergency security updates were actively abused as part of a zero-click exploit chain (dubbed BLASTPASS) to deploy NSO Group's Pegasus commercial spyware onto fully patched iPhones. 

The two bugs, tracked as CVE-2023-41064 and CVE-2023-41061, allowed the attackers to infect a fully-patched iPhone running iOS 16.6 and belonging to a Washington DC-based civil society organization via PassKit attachments containing malicious images.

"We refer to the exploit chain as BLASTPASS. The exploit chain was capable of compromising iPhones running the latest version of iOS (16.6) without any interaction from the victim," Citizen Lab said

"The exploit involved PassKit attachments containing malicious images sent from an attacker iMessage account to the victim."

Citizen Lab also urged Apple customers to update their devices immediately and encouraged those at risk of targeted attacks due to their identity or profession to activate Lockdown Mode.

Apple and Citizen Lab security researchers discovered the two zero-days in the Image I/O and Wallet frameworks.

CVE-2023-41064 is a buffer overflow triggered when processing maliciously crafted images, while CVE-2023-41061 is a validation issue that can be exploited via malicious attachments.

Both allow threat actors to gain arbitrary code execution on unpatched iPhone and iPad devices.

Apple addressed the flaws in macOS Ventura 13.5.2, iOS 16.6.1, iPadOS 16.6.1, and watchOS 9.6.2 with improved logic and memory handling.

The list of affected devices includes:

  • iPhone 8 and later
  • iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later
  • Macs running macOS Ventura
  • Apple Watch Series 4 and later

Since the start of the year, Apple has fixed a total of 13 zero-days exploited to target devices running iOS, macOS, iPadOS, and watchOS, including:

  • two zero-days (CVE-2023-37450 and CVE-2023-38606) in July
  • three zero-days (CVE-2023-32434, CVE-2023-32435, and CVE-2023-32439) in June
  • three more zero-days (CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373) in May
  • two zero-days (CVE-2023-28206 and CVE-2023-28205) in April
  • and another WebKit zero-day (CVE-2023-23529) in February
CISA warns of critical Apache RocketMQ bug exploit...
Microsoft Teams phishing attack pushes DarkGate ma...

Related Posts

 

Comments

No comments made yet. Be the first to submit a comment
Monday, 23 December 2024

Captcha Image

Top Breaches Of 2023

Customers Affected In T-Mobile Breach
Accounts Affected In MOVEit Breach
Customers Affected In MCNA Insurance Data Breach
Individuals Affected In PharMerica Data Breach
Users Affected In ChatGPT Major Data Breach
*Founder Shield End of Year 2023