CTI Flash Briefing: Apple’s latest security update fixes Zero-Click Zero-Day exploit under active exploitation
Breakdown
Apple just released a new batch of security updates yesterday that contain updates for a zero-click 0-day exploit that was discovered last week by researchers at CitizenLab. They were investigating a device and found this actively exploited zero-click vulnerability was being used to infect devices with NSO Group’s Pegasus spyware. They immediately disclosed their findings to Apple, which issued CVE’s and the current security updates. All Apple devices should be patched immediately up to current versions: macOS 13.5.2, iOS 16.6.1, iPadOS 16.6.1, and watchOS 9.6.2.
Area of Impact
This bulletin applies to all company owned and personal Apple devices. As detailed above, this includes macOS for laptops and desktops, iOS for phones, iPadOS for iPads and watchOS for all Apple watches.
Overview
CitizenLab has reported that the vulnerabilities are part of the “BLASTPASS” exploit chain being used in the wild to deliver the Pegasus spyware toolset created and supported by the NSO Group. This is a zero-click vulnerability that allows an attacker to send maliciously crafted PassKit images to a target via iMessage. This does not require any interaction with the software from the victim, which makes this a top priority vulnerability and requires immediate patching on all devices.
Details of the CVE’s as documented by BleepingComputer:
The bugs were found in the Image I/O and Wallet frameworks and are tracked as CVE-2023–41064 (discovered by Citizen Lab security researchers) and CVE-2023–41061 (discovered by Apple).
Citizen Lab also revealed today that the CVE-2023–41064 and CVE-2023–41061 bugs were actively abused as part of as part of a zero-click iMessage exploit chain named BLASTPASS that was used to deploy NSO Group’s Pegasus mercenary spyware onto fully patched iPhones (running iOS (16.6) via PassKit attachments containing malicious images.
CVE-2023–41064 is a buffer overflow weakness that gets triggered when processing maliciously crafted images, and it can lead to arbitrary code execution on unpatched devices.
CVE-2023–41061 is a validation issue that can be exploited using a malicious attachment to also gain arbitrary code execution on targeted devices.
Recommendation
Install available security patch updates from Apple immediately on all personal and company owned Apple devices as noted above. Each device has the capability in their settings menu to show code versions so you can verify devices match the updated code version numbers listed above as well.
Conclusion
To our current SOC partnerships, please reach out to our SOC team to learn more about the best steps in researching your exposure to this threat. If you have any questions on this on-going event or need any level of security assistance, please reach out to Hunter Strategy and we will be happy to discuss next steps in securing your IT systems!
Contact Us
contact@hunterstrategy.net
