Apple recently patched two vulnerabilities actively exploited in the wild to target iPhones. The researchers found these iOS zero-day flaws exploited to deliver spyware to a US-based civil society organization.
iOS Zero-Day Flaws Exploited To Deliver Spyware
According to a recent post from the Citizen Lab, their researchers noticed a specific exploit running on an individual iPhone, investigating which made them discover iOS zero-day flaws.
As explained, the researchers found the exploit on an employee of a civil society organization based in Washington DC. Tracing back the exploit led them to the notorious Pegasus spyware from the Israeli NSO Group. The attackers triggered the BLASTPASS exploit by sending malicious images in PassKit attachments via iMessage, hijacking the BlastDoor framework for iMessage security.
Apple Patched The iOS Zero-Day Flaws
In the recent Pegasus attack, the exploit identified as “BLASTPASS” involved two iOS zero-day vulnerabilities. These include,
- CVE-2023-41064: A buffer overflow vulnerability in ImageIO that allowed an adversary to execute arbitrary codes on target devices by sending maliciously crafted image files. Apple patched the flaw by improving memory handling.
- CVE-2023-41061: A validation issue with the wallet that allowed arbitrary code execution upon processing a maliciously crafted attachment. The tech giant fixed the issue with improved logic.
Following the researchers’ report, Apple patched the vulnerabilities with iOS 16.6.1 and iPadOS 16.6.1. In addition, these vulnerabilities also affected macOS Ventura and Apple Watch, which the firm patched with the release of macOS Ventura 13.5.2 and watchOS 9.6.2. Users should update their respective devices immediately to avoid the threats.
What Is Pegasus?
Pegasus is a potent sneaky spyware, proudly developed by the Israel-based firm ‘NSO Group,’ often found involved in various state-backed attacks. This spyware exploits zero-day vulnerabilities in Apple’s iOS, likely due to the prevalent use of iPhones among professionals, such as journalists, activists, government officials, and others.
While Pegasus reports often include iPhones as victim devices, NSO claims that the spyware can target Android, too. However, cases involving Android are seldom reported.
Pegasus takes over the target devices with a simple message or a phone call without requiring the victim user’s interaction, leaves no identifiable traces on the infected devices, and is difficult to remove via traditional malware removal methods.
Despite frequently patching the vulnerabilities, Pegasus keeps improvising itself to exploit more iOS zero-days to continue its attacks.
Let us know your thoughts in the comments.