Citizen Lab says two zero-days fixed by Apple today in emergency security updates were actively abused as part of a zero-click exploit chain (dubbed BLASTPASS) to deploy NSO Group's Pegasus commercial spyware onto fully patched iPhones.
The two bugs, tracked as CVE-2023-41064 and CVE-2023-41061, allowed the attackers to infect a fully-patched iPhone running iOS 16.6 and belonging to a Washington DC-based civil society organization via PassKit attachments containing malicious images.
"We refer to the exploit chain as BLASTPASS. The exploit chain was capable of compromising iPhones running the latest version of iOS (16.6) without any interaction from the victim," Citizen Lab said.
"The exploit involved PassKit attachments containing malicious images sent from an attacker iMessage account to the victim."
Citizen Lab also urged Apple customers to update their devices immediately and encouraged those at risk of targeted attacks due to their identity or profession to activate Lockdown Mode.
Apple and Citizen Lab security researchers discovered the two zero-days in the Image I/O and Wallet frameworks.
CVE-2023-41064 is a buffer overflow triggered when processing maliciously crafted images, while CVE-2023-41061 is a validation issue that can be exploited via malicious attachments.
Both allow threat actors to gain arbitrary code execution on unpatched iPhone and iPad devices.
Apple addressed the flaws in macOS Ventura 13.5.2, iOS 16.6.1, iPadOS 16.6.1, and watchOS 9.6.2 with improved logic and memory handling.
The list of affected devices includes:
- iPhone 8 and later
- iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later
- Macs running macOS Ventura
- Apple Watch Series 4 and later
Since the start of the year, Apple has fixed a total of 13 zero-days exploited to target devices running iOS, macOS, iPadOS, and watchOS, including:
- two zero-days (CVE-2023-37450 and CVE-2023-38606) in July
- three zero-days (CVE-2023-32434, CVE-2023-32435, and CVE-2023-32439) in June
- three more zero-days (CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373) in May
- two zero-days (CVE-2023-28206 and CVE-2023-28205) in April
- and another WebKit zero-day (CVE-2023-23529) in February