Discover the Apple Emergency Updates to Counter Pegasus Spyware Exploits
On Thursday, Apple published critical security patches for iOS, iPadOS, macOS, and watchOS to fix two zero-day holes that have been used to distribute mercenary spyware from NSO Group called Pegasus in the wild.
The problems are listed below:
CVE-2023-41061 – A validation flaw in Wallet that, when handled by a maliciously designed attachment, might lead to arbitrary code execution.
When processing a maliciously created image, CVE-2023-41064, a buffer overflow flaw in the Image I/O component, might lead to arbitrary code execution.
CVE-2023-41061 was identified internally by Apple with “assistance” from the Citizen Lab, whereas CVE-2023-41064 was discovered by the Citizen Lab at the Munk School of the University of Toronto.
The following hardware and operating systems can receive the updates:
iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later all support iOS 16.6.1 and iPadOS 16.6.1.
macOS Ventura devices running version 13.5.2 of the operating system
Apple Watch Series 4 and later require watchOS 9.6.2.
The two holes were weaponized as part of the BLASTPASS zero-click iMessage exploit chain to deploy Pegasus on fully patched iPhones running iOS 16.6, according to a second advisory from Citizen Lab.
According to the transdisciplinary lab, “the exploit chain was capable of compromising iPhones running the most recent version of iOS (16.6) without any interaction from the victim.” PassKit attachments containing malicious photos were sent from an attacker’s iMessage account to the victim as part of the vulnerability.
Due to active exploitation, more technical details concerning the flaws have been withheld. However, it is claimed that the hack gets through the BlastDoor sandbox structure, which Apple set up to prevent zero-click attacks.
Keywords: Apple zero-day vulnerabilities Pegasus, iOS security patches Citizen Lab, BLASTPASS iMessage exploit chain
Also Read: Stay Protected! How Norton Small Business Can Safeguard Your Company’s Digital Assets
US Government Leads Global Effort to Dismantle Qakbot Malware Network