According to Citizen Lab, a zero-click exploit chain known as BLASTPASS was used to actively exploit two zero-days that Apple fixed today in emergency security updates to install commercial spyware from NSO Group on fully patched iPhones.
The two bugs, followed as CVE-2023-41064 and CVE-2023-41061, permitted the assailants to taint a completely fixed iPhone running iOS 16.6 and having a place with a Washington DC-based common society association by means of PassKit connections containing malignant pictures.
“The exploit chain is referred to as BLASTPASS by us. Citizen Lab stated, “The exploit chain was capable of compromising iPhones running the most recent version of iOS (16.6) without the victim’s interaction.”
“The adventure included PassKit connections containing malevolent pictures sent from an assailant iMessage record to the person in question.”
Resident Lab likewise asked Apple clients to refresh their gadgets right away and empowered those in danger of designated assaults because of their character or calling to actuate Lockdown Mode.
The two zero-days were discovered in the Image I/O and Wallet frameworks by security researchers from Citizen Lab and Apple. CVE-2023-41064 is a buffer overflow that occurs when maliciously crafted images are processed, and CVE-2023-41061 is a validation issue that can be exploited by malicious attachments.
Both enable unauthorized code execution on unpatched iPhone and iPad devices by threat actors.
With improved logic and memory handling, Apple fixed flaws in macOS Ventura 13.5.2, iOS 16.6.1, iPadOS 16.6.1, and watchOS 9.6.2.
The following devices are on the affected list:
Apple has fixed a total of 13 zero-days exploited to target devices running iOS, macOS, iPadOS, and watchOS since the beginning of the year, including: iPhone 8 and later iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later
two zero-days in July (CVE-2023-37450 and CVE-2023-38606),
three zero-days in June (CVE-2023-32434, CVE-2023-32435, and CVE-2023-32439),
four zero-days in May (CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373),
and another WebKit zero-day in February (CVE-2023-23529).