Alerts

Urgent Cybersecurity Alert: Apple Scrambles to Patch Zero-Day Vulnerabilities Exploited by Pegasus Spyware

Author

Joseph Morgan

Date

08 September, 2023

Share

Introduction

In a critical move to bolster cybersecurity, Apple has urgently released a series of emergency security patches for iOS, iPadOS, macOS, and watchOS. These updates aim to rectify two zero-day vulnerabilities that have been actively exploited to deliver NSO Group’s notorious Pegasus spyware. This blog post aims to provide an in-depth analysis of the situation and the immediate steps you should take to secure your Apple devices.

The Zero-Day Vulnerabilities

CVE-2023-41061

This vulnerability is a validation issue within Apple’s Wallet application. The flaw could allow an attacker to execute arbitrary code when a maliciously crafted attachment is handled by the Wallet app. This vulnerability was discovered internally by Apple, with assistance from the Citizen Lab at the University of Toronto.

CVE-2023-41064

This is a buffer overflow issue in the Image I/O component of Apple’s operating systems. Like the first vulnerability, this flaw could also result in arbitrary code execution when processing a maliciously crafted image. This vulnerability was identified by the Citizen Lab at the University of Toronto’s Munk School.

Affected Devices and Operating Systems

  • iOS 16.6.1 and iPadOS 16.6.1: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later.

  • macOS Ventura 13.5.2: All macOS devices running macOS Ventura.

  • watchOS 9.6.2: Apple Watch Series 4 and later.

The Exploit Chain: BLASTPASS

Citizen Lab has revealed that these twin flaws have been weaponised as part of a zero-click iMessage exploit chain, dubbed BLASTPASS. This exploit chain is capable of compromising fully-patched iPhones running iOS 16.6 without requiring any interaction from the victim. The exploit involves PassKit attachments containing malicious images sent via iMessage from an attacker’s account to the victim.

Immediate Actions to Take

  1. Update Immediately: If you are using any of the affected devices, update your operating system immediately to the latest version to patch these vulnerabilities.

  2. Enable Two-Factor Authentication (2FA): Always have 2FA enabled for added security.

  3. Be Cautious of Unknown Attachments: Do not open attachments from unknown or untrusted sources.

Conclusion

The discovery of these zero-day vulnerabilities serves as a stark reminder that even the most secure systems are not impervious to attacks. Apple has so far fixed a total of 13 zero-day bugs this year, and this latest find underscores the ongoing risks posed by highly sophisticated exploits and mercenary spyware.

It is imperative for individual users, organisations, and governments to remain vigilant and proactive in updating their devices and employing best practices in cybersecurity. Failure to do so could result in severe consequences, including unauthorised data access and potential cyber espionage.