Emergency Apple Updates: Zero-Days Exploited to Deploy Spyware on iPhones

by | Sep 8, 2023 | News

Post Views: 626

Premium Content

Subscribe to Patreon to watch this episode.

Reading Time: 3 Minutes

Apple issued emergency security updates to address two zero-day vulnerabilities that were actively exploited in a sophisticated zero-click exploit chain. These vulnerabilities served as entry points for deploying NSO Group’s Pegasus commercial spyware onto fully patched iPhones.

The two identified vulnerabilities, tracked as CVE-2023-41064 and CVE-2023-41061, allowed attackers to compromise iPhones running iOS 16.6, even if they were fully patched. This alarming breach occurred within a Washington DC-based civil society organization through PassKit attachments containing malicious images.

Citizen Lab, a prominent research organization, has named this exploit chain “BLASTPASS.” The concerning aspect of this attack is that it could compromise iPhones running the latest version of iOS (16.6) without requiring any interaction from the victim. The attack method involved PassKit attachments, containing malicious images, sent from the attacker’s iMessage account to the victim’s device.

In response to these critical security breaches, Citizen Lab strongly advises all Apple customers to update their devices immediately. Furthermore, individuals who may be at risk of targeted attacks due to their identity or profession are encouraged to activate Lockdown Mode on their devices.

We refer to the exploit as BLASTPASS, as it employed a PassKit (Wallet) attachment containing a malicious image, sent via iMessage. When the phone processed the attachment, the exploit hijacked control of Apple's "BlastDoor" framework for iMessage security.

— Bill Marczak (@billmarczak) September 7, 2023

See Also: So you want to be a hacker?
Offensive Security, Bug Bounty Courses

These two zero-day vulnerabilities were discovered by both Apple and security researchers at Citizen Lab. They were found to exist within the Image I/O and Wallet frameworks.

CVE-2023-41064 is characterized as a buffer overflow vulnerability, triggered during the processing of maliciously crafted images. On the other hand, CVE-2023-41061 is a validation issue that can be exploited via malicious attachments. Both of these vulnerabilities allowed threat actors to gain arbitrary code execution on unpatched iPhone and iPad devices.

Apple has promptly addressed these flaws through updates, including macOS Ventura 13.5.2, iOS 16.6.1, iPadOS 16.6.1, and watchOS 9.6.2. These updates incorporate improved logic and memory handling to mitigate the vulnerabilities.

A range of Apple devices were affected, including iPhone 8 and later models, various iPad models, Macs running macOS Ventura, and Apple Watch Series 4 and later.

Trending: Recon Tool: Dirhunt

This marks the 13th zero-day vulnerability that Apple has addressed since the beginning of the year.
These vulnerabilities have been exploited to target devices running iOS, macOS, iPadOS, and watchOS. Apple’s commitment to swiftly patching such vulnerabilities underscores its dedication to user security.

In July, two zero-days (CVE-2023-37450 and CVE-2023-38606) were addressed
June saw the fixing of three zero-days (CVE-2023-32434, CVE-2023-32435, and CVE-2023-32439).
May brought three additional zero-days (CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373)
April saw the resolution of two zero-days (CVE-2023-28206 and CVE-2023-28205).
In February, another WebKit zero-day (CVE-2023-23529) was patched, signifying a continuous commitment to user safety.

Are u a security researcher? Or a company that writes articles or write ups about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing?

If you want to express your idea in an article contact us here for a quote: [email protected]

Source: bleepingcomputer.com

Source Link