Apple races to patch the latest zero-day iPhone exploit

Apple devices are again under attack, with a zero-click, zero-day vulnerability used to deliver Pegasus spyware to iPhones discovered in the wild.

Even running the latest version of iOS (16.6) is no defence against the exploit, which involves PassKit attachments containing malicious images. Once sent to the victim's iMessage account, the NSO Group's Pegasus spyware can be deployed without interaction.

Researchers at Citizen Lab are referring to the exploit as BLASTPASS. The team said they immediately disclosed their findings to Apple when they first discovered an infected device owned by an individual employed by a Washington DC-based civil society organization with international offices.

Apple moved swiftly, assigning two CVEs to the exploit chain – CVE-2023-41064 and CVE-2023-41061 – and issuing updates for iOS and iPadOS. Apple and Citizen Lab also advised enabling Lockdown Mode, which blocks the attack, for at-risk users.

Citizen Lab said: "We commend Apple for their rapid investigative response and patch cycle, and we acknowledge the victim and their organization for their collaboration and assistance."

While Citizen Lab did not immediately respond to a request for more detail regarding the exploit chain – and the org plans an updated post on this topic in the future – some information can be gleaned from Apple's release notes.

CVE-2023-41064 is related to a buffer overflow issue in ImageIO where processing a maliciously crafted image might result in arbitrary code execution. The same result was noted for Wallet in CVE-2023-41061 due to a maliciously crafted attachment. In the latter's case, Apple dealt with a validation issue with improved logic.

PassKit is the service for distributable passes added to a user's Apple wallet. A pass is a signed Bundle containing a JSON description, images and localizations.

• China reportedly bans iPhones from more government offices
• Barracuda gateway attacks: How Chinese snoops keep a grip on victims' networks
• US Cyber Command boss says China's spooky cyber skills still behind
• Prepare for plenty more pain from Ivanti's MDM flaws, warn cyber agencies

Pegasus is the infamous spyware its developer, Israel's NSO Group, claims is only sold to legitimate government agencies. Once installed, it can monitor calls and messages and use the phone's camera. Despite protestations that the spyware is only licensed to government agencies to thwart criminals, its use has generated alarm among lawmakers and privacy activists alike.

In 2020 and 2021, Citizen Lab found the malware lurking on devices throughout the UK government.

As for the latest exploits, the advice is to update your iOS and iPadOS devices immediately. Unless, of course, you work for the Chinese government. ®