Apple has fixed two critical vulnerabilities for iOS and macOS. The vulnerabilities allowed the Pegasus spyware to be installed on fully updated iPhones.
The vulnerabilities CVE-2023-41064 and CVE-2023-41061 were actively exploited to install the Pegasus spyware from the Israeli company NSO Group. The vulnerabilities occur in the Image I/O and Wallet frameworks in iOS, as well as in WatchOS and macOS. CVE-2023-41064 is a buffer overflow that is triggered when malicious images are processed. CVE-2023-41061 is a validation issue that can be exploited via malicious attachments.
BLASTPASS attack
Through the vulnerabilities, spyware attackers were able to hack an iPhone fully patched on iOS 16.6 from a civil rights organization in the US. The attack, dubbed BLASTPASS, took place via PassKit attachments containing malicious images.
The infected kits were sent from an iMessage account of the attackers. This did not require any interaction with the victim.
Apple OS versions and devices affected
OS versions affected by the vulnerabilities are iOS 16.6.1, iPadOS 16.6.1 and watchOS 9.6.2. In addition, macOS Ventura 13.5.2 is also affected.
Devices at risk are the iPhone 8 and newer, all iPad Pro models, the iPad Air 3 and newer, the iPad 5 and newer, the iPad mini 5 and newer and the Apple Watch Series 4 and newer versions.
Users are urged to install the released patches as soon as possible. Apple has already patched 13 other security vulnerabilities this year.
Also read: iPhone 15 to be unveiled on September 12: what can we expect?
1 day ago
