Citizen Lab says two zero-day vulnerabilities that Apple fixed today in an emergency security update are being actively abused as part of a zero-hit exploit chain, known as BLASTPASS, that deploys the NSO Group's Pegasus commercial spyware to unpatched iPhones.
The two vulnerabilities are CVE-2023-41064 and CVE-2023-41061The attacker was able to infect a fully patched iPhone running iOS 16.6 and belonging to a Washington, D.C.-based civil society organization with a PassKit attachment containing a malicious image.
"We call the exploit chain BLASTPASS. the exploit chain is capable of compromising iPhones running the latest version of iOS (16.6) without any interaction from the victim," Citizen Lab said.
"The vulnerability involves a PassKit attachment that contains information from an attacker's iMessage account sends a malicious image to the victim."
Citizen Lab also urges Apple customers to update their devices immediately and encourages those at risk of targeted attacks due to their identity or occupation to activate lockdown mode.
Apple and Citizen Lab security researchers have discovered two zero-day vulnerabilities in the Image I/O and Wallet frameworks.
BLASTPASS Exploit
CVE-2023-41064 is a buffer overflow triggered when processing a maliciously crafted image, while CVE-2023-41061 is an authentication issue that can be exploited via a malicious attachment.
Both allow threat actors to obtain arbitrary code execution on unpatched iPhone and iPad devices.
Apple addressed flaws in macOS Ventura 13.5.2, iOS 16.6.1, iPadOS 16.6.1, and watchOS 9.6.2 with improved logic and memory handling.
The list of affected devices includes:
iPhone 8 and newer
iPad Pro (all models), iPad Air 3rd generation and newer, iPad 5th generation and newer, and iPad mini 5th generation and newer.
Mac Apple Watch Series 4 and newer running macOS Ventura
Since the beginning of the year, Apple has fixed a total of 13 zero-day vulnerabilities for devices running iOS, macOS, iPadOS, and watchOS, including:
Two zero-day vulnerabilities in July (CVE-2023-37450 and CVE-2023-38606)
Three zero-day vulnerabilities in June (CVE-2023-32434, CVE-2023-32435, and CVE-2023-32439)
Three new zero-day vulnerabilities (CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373) were added in May.
Two zero-day vulnerabilities in April (CVE-2023-28206 and CVE-2023-28205)
and another WebKit zero-day vulnerability (CVE-2023-23529) in February.
Original article by SnowFlake, if reproduced, please credit https://cncso.com/en/apple-zero-click-imessage-exploit.html