By Sergiu Gatlan on Saturday, 09 September 2023
Category: Security

Apple zero-click iMessage exploit used to infect iPhones with spyware

Citizen Lab says two zero-days fixed by Apple today in emergency security updates were actively abused as part of a zero-click exploit chain (dubbed BLASTPASS) to deploy NSO Group's Pegasus commercial spyware onto fully patched iPhones. 

The two bugs, tracked as CVE-2023-41064 and CVE-2023-41061, allowed the attackers to infect a fully-patched iPhone running iOS 16.6 and belonging to a Washington DC-based civil society organization via PassKit attachments containing malicious images.

"We refer to the exploit chain as BLASTPASS. The exploit chain was capable of compromising iPhones running the latest version of iOS (16.6) without any interaction from the victim," Citizen Lab said

"The exploit involved PassKit attachments containing malicious images sent from an attacker iMessage account to the victim."

Citizen Lab also urged Apple customers to update their devices immediately and encouraged those at risk of targeted attacks due to their identity or profession to activate Lockdown Mode.

Apple and Citizen Lab security researchers discovered the two zero-days in the Image I/O and Wallet frameworks.​

CVE-2023-41064 is a buffer overflow triggered when processing maliciously crafted images, while CVE-2023-41061 is a validation issue that can be exploited via malicious attachments.

Both allow threat actors to gain arbitrary code execution on unpatched iPhone and iPad devices.

Apple addressed the flaws in macOS Ventura 13.5.2, iOS 16.6.1, iPadOS 16.6.1, and watchOS 9.6.2 with improved logic and memory handling.

The list of affected devices includes:

Since the start of the year, Apple has fixed a total of 13 zero-days exploited to target devices running iOS, macOS, iPadOS, and watchOS, including:

Related Posts

Leave Comments