If you are an iPhone user, you must update the software to the latest iOS 16.6.1. In the latest iOS update, Apple has fixed two zero-day vulnerabilities actively being used to deliver Israel-based NSO Group’s Pegasus spyware on iPhones. That means all the iPhone units running older software may be prone to spyware attacks, which could lead hackers to access your private data. Apple says the vulnerabilities “may have been actively exploited.”
Internet watchdog group Citizen Lab, while checking the device of an individual employed by a Washington DC-based civil society organisation with international offices, found the zero-click vulnerability. “The exploit chain was capable of compromising iPhones running the latest version of iOS (16.6) without any interaction from the victim,” Citizen Lab said in a statement late on Thursday.
They referred to the exploit chain as ‘BLASTPASS’. The exploit involved PassKit attachments containing malicious images sent from an attacker’s iMessage account to the victim. Citizen Lab immediately disclosed our findings to Apple and assisted in their investigation. Taking cognisance of the alarming situation, Apple issued two CVEs related to this exploit chain, (CVE-2023-41064 and CVE-2023-41061).
“We would like to acknowledge The Citizen Lab at The University of Torontoʼs Munk School for their assistance,” said Apple.
The first vulnerability targeted Image I/O, which is Apple’s framework that is responsible for giving apps permission to read and write most image file formats and access an image’s metadata. Apple has detailed the vulnerability and the fix:
Impact: Processing a maliciously crafted image may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
Description: A buffer overflow issue was addressed with improved memory handling.
The second fix is for the vulnerability that affected the Apple Wallet app. Apple said, “A maliciously crafted attachment may result in arbitrary code execution.” The issue, per the company, may have been actively exploited. The latest update, however, addresses the issue “with improved logic.”
Besides, Citizen Lab has urged everyone to immediately update their iPhone and iPad devices to the latest software version. “We encourage everyone who may face increased risk because of who they are or what they do to enable Lockdown Mode,” the researchers said. Apple’s update will secure devices belonging to regular users, companies, and governments around the globe. “The ‘BLASTPASS’ discovery highlights the incredible value to our collective cybersecurity of supporting civil society organizations,” said the watchdog.
— Written with inputs from IANS
Author Name | Shubham Verma