Apple has issued a critical security update for iPhones to address a zero-day bug in iOS 16 that could allow attackers to remotely install spyware on a device without any interaction from the iPhone owner.

The Citizen Lab at The University of Torontoʼs Munk School actively tracks PSOAs (private sector offensive actors) and the expanding market for companies that sell hacking and exploitation tools and services. It played a pivotal role in uncovering and reporting these issues.

So far this year, Apple has rolled out fixes for 13 documented in-the-wild zero-days in iOS, iPadOS and macOS platforms.  The company has also shipped ‘Lockdown Mode’ in direct response to these attacks but the pace of exploitation has not slowed.

 

Exploit Chain – BLASTPASS:

Citizen Lab further uncovered a zero-click iMessage exploit chain dubbed BLASTPASS, which leveraged these vulnerabilities to deploy the notorious Pegasus spyware. Remarkably, this exploit chain could compromise fully patched iPhones running the latest iOS version (16.6) without requiring any interaction from the victim.

The zero-click zero-day exploit had been used to install NGO Group’s Pegasus spyware onto an iPhone owned by an employee of a Washington DC-based civil society organization. The exploit method involved sending PassKit attachments containing malicious images from an attacker’s iMessage account to the targeted victim.

Pegasus is spyware developed by a private contractor for use by government agencies. The spyware infects a phone and sends back data, including photos, messages, and audio/video recordings.

 

Vulnerabilities Overview:

The two identified vulnerabilities are:

1. CVE-2023-41061 – This flaw pertains to a validation issue within the Wallet application. It could potentially lead to the execution of arbitrary code when processing a malicious attachment.
2. CVE-2023-41064 – This vulnerability involves a buffer overflow issue within the Image I/O component. It has the potential to trigger arbitrary code execution when handling a specially crafted image.

 

Remediation Steps and Preventive Measures:

1. Updates and Patches: Ensure your device is running the latest software versions given below:iOS 16.6.1 and iPadOS 16.6.1

   macOS Ventura 13.5.2

   watchOS 9.6.2

   Enable automatic updates in your device settings to promptly receive critical security enhancements.

2. Exercise Caution with Links: Exercise vigilance when encountering unfamiliar links or downloads. Refrain from engaging with  suspicious sources to safeguard against potential cyber threats.
3. Exercise Discretion with iMessages: Approach iMessages from unknown senders with prudence. Avoid opening attachments or images from unverified sources to mitigate potential security risks.
4.  Implement Robust Security Software: Reinforce your device’s defences against cyber threats by installing reputable antivirus and anti-malware programs, providing an additional layer of protection.
5. Enable Cloud-Based Backups: Implement a routine backup regimen, safeguarding your device data through secure cloud storage services. This precautionary measure ensures critical information remains intact in the event of a security incident.