- Apple has released urgent updates to fix 2 zero-days being exploited to deploy Pegasus spyware on fully updated iPhones.
- The iOS zero-days allowed zero-click remote code execution via malicious image files sent over iMessage.
- Apple has already patched 13 in-the-wild zero-days across its products in 2023, underscoring the need for swift security updates.
Apple has released emergency iOS updates to fix two actively exploited zero-day vulnerabilities that were being used to deploy the Pegasus spyware on fully updated iPhones.
Pegasus Spyware Deployed via Malicious Image Files
Dubbed BLASTPASS by Citizen Lab, the exploit chain involved sending maliciously crafted PassKit image attachments over iMessage. Once triggered, the Pegasus spyware would be installed without any action from the user.
“We refer to the exploit chain as BLASTPASS. The exploit chain was capable of compromising iPhones running the latest version of iOS (16.6) without any interaction from the victim,” Citizen Lab said.
“The exploit involved PassKit attachments containing malicious images sent from an attacker iMessage account to the victim.”
The zero-days were found in the Image I/O and Wallet frameworks of iOS. CVE-2023-41064 stems from a buffer overflow in image processing, while CVE-2023-41061 is a validation issue exploit.
Both flaws grant arbitrary remote code execution, enabling spyware installation on unpatched devices. They impact iPhone 8 and newer models, various iPad models and Apple Watch Series 4 onwards running iOS 16.6 and below.
Update Devices Urgently, Enable Lockdown Mode
Apple has addressed the vulnerabilities in iOS 16.6.1, iPadOS 16.6.1 and other platform updates by improving memory handling and input validation.
Citizen Lab strongly urged Apple users to install the latest updates immediately to protect against attacks leveraging these iPhone zero-days. Users especially at high risk of targeting should also consider enabling Lockdown Mode for added security.
Growth of iPhone Zero-Days Underscores Vigilance Need
So far in 2023, Apple has already patched 13 in-the-wild zero-days across its product portfolio. This includes nine iOS zero-days alone since February.
The proliferation of iPhone and iPad zero-days highlights the resources and determination of private attack groups. It emphasizes the critical importance of swiftly applying security updates before threat actors can exploit them.
For Apple customers, maintaining software currency through prompt patching is essential to thwarting the growing spread of commercial spyware like Pegasus.