UPDATE - Apple has released security updates that address two actively exploited vulnerabilities in various versions of macOS, iOS, watchOS and iPadOS. If exploited, the vulnerabilities can lead to arbitrary code execution.
According to Citizen Lab, the two flaws are part of an exploit chain called BLASTPASS, which is capable of compromising iPhones running on the latest version of iOS (16.6) without any victim interaction.
"Last week, while checking the device of an individual employed by a Washington DC-based civil society organization with international offices, Citizen Lab found an actively exploited zero-click vulnerability being used to deliver NSO Group’s Pegasus mercenary spyware," according to Citizen Lab on Thursday.
One of the flaws (CVE-2023-41064) exists in the Image I/O framework, which allows applications to read and write most image file formats. The buffer overflow issue was addressed by Apple with improved memory handling.
For this flaw, “processing a maliciously crafted image may lead to arbitrary code execution,” the company said in a Thursday security advisory. “Apple is aware of a report that this issue may have been actively exploited.”
The second flaw (CVE-2023-41061) is a validation issue in Apple’s Wallet feature, which allows users to store their cards and passes. According to Apple, a maliciously crafted attachment could lead to arbitrary code execution. The bug was addressed with improved logic.
Both bugs impact iPhone 8 and later, all models of the iPad Pro, iPad Air 3rd generation and later, iPad 5th generation and later, and the iPad mini 5th generation and later. Meanwhile, the bug tied to CVE-2023-41061 also impacts Apple Watch Series 4 and later; while the flaw tied to CVE-2023-41064 additionally affects macOS Ventura. Apple has rolled out iOS 16.6.1, iPadOS 16.6.1, watchOS 9.6.2 and macOS Ventura 13.5.2 to address the security flaws.
On Sept. 11, Apple rolled out additional updates addressing CVE-2023-41064 in macOS Monterey and macOS Big Sur, as well as the iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation).
While CVE-2023-41064 was found by Citizen Lab, CVE-2023-41061 was discovered internally by Apple, with “assistance” from Citizen Lab.
Citizen Lab did not reveal further details about the attack at this time, except to say that the exploit involved PassKit attachments containing malicious images, sent from an attacker iMessage account to the victim.
“For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available,” said Apple.
Apple over the past few months has rolled out fixes for various actively exploited bugs, including through an update addressing a WebKit flaw (CVE-2023-37450) impacting iOS, macOS and iPadOS in July and one addressing an integer overflow flaw (CVE-2023-32434) impacting watchOS, macOS and iPadOS in June.
This article was updated on Sept. 7 with further information from Citizen Lab, and on Sept. 11 to reflect patches released for additional Apple products.