Apple has released emergency security updates for iOS, iPadOS, macOS, and watchOS to address two zero-day flaws that have been exploited in the wild by NSO Group’s Pegasus mercenary spyware. The vulnerabilities are CVE-2023-41061, a validation issue in Wallet that could result in arbitrary code execution, and CVE-2023-41064, a buffer overflow issue in the Image I/O component. CVE-2023-41064 was discovered by Citizen Lab, while CVE-2023-41061 was found internally by Apple with assistance from Citizen Lab.
Citizen Lab also revealed that these flaws were part of a zero-click iMessage exploit chain called BLASTPASS, which allowed Pegasus to be deployed on fully-patched iPhones running iOS 16.6. The exploit chain involved malicious images sent via PassKit attachments. The specifics of the flaws are being withheld due to active exploitation, but it is known that they bypass Apple’s BlastDoor sandbox framework.
Apple has fixed a total of 13 zero-day bugs this year, including the actively exploited kernel flaw CVE-2023-38606. This news comes as the Chinese government reportedly bans the use of iPhones and other foreign-branded devices by central and state government officials. Security researcher Zuk Avraham points out that despite iPhones’ reputation for security, they are not safe against espionage, as demonstrated by the number of zero-click exploits used by companies like NSO.
