| Product and Affected Versions: Affected Products: iOS 16.6.1 iPadOS 16.6.1 macOS Ventura 13.5.2 watchOS 9.6.2 Devices Affected: iPhone 8 and later iPad Pro (all models) iPad Air 3rd generation and later iPad 5th generation and later iPad mini 5th generation and later macOS devices running macOS Ventura Apple Watch Series 4 and later |
| Severity and CVE IDs: Critical CVE-2023-41061 – Validation issue in Wallet. CVE-2023-41064 – Buffer overflow issue in Image I/O component. |
| Vulnerability: CVE-2023-41061: This vulnerability is a validation issue in Wallet that could lead to arbitrary code execution when handling a maliciously crafted attachment. CVE-2023-41064: This vulnerability is a buffer overflow issue in the Image I/O component that could result in arbitrary code execution when processing a maliciously crafted image. |
| How the Attack Works: The twin vulnerabilities have been exploited as part of a zero-click iMessage exploit chain called BLASTPASS to deploy the Pegasus spyware on fully-patched iPhones running iOS 16.6. The attack process involves: 1. Attackers send PassKit attachments containing malicious images from an attacker’s iMessage account to the victim. 2. The malicious images trigger the vulnerabilities in Wallet and Image I/O components. 3. The vulnerabilities allow arbitrary code execution on the target device without any interaction from the victim. The exploit chain bypasses Apple’s BlastDoor sandbox framework designed to mitigate zero-click attacks |
| Remediations: – iOS 16.6.1 and iPadOS 16.6.1 for affected iPhone and iPad models. – macOS Ventura 13.5.2 for macOS devices running macOS Ventura. – watchOS 9.6.2 for Apple Watch Series 4 and later. |
| Reference: – The vulnerabilities were discovered and reported by Citizen Lab at the University of Toronto’s Munk School. – The exploit chain has been named BLASTPASS. – The vulnerabilities have been used to deliver the NSO Group’s Pegasus spyware. – The attack bypasses Apple’s BlastDoor sandbox framework. – Apple has fixed a total of 13 zero-day vulnerabilities in its software in the current year. – The Chinese government has banned central and state government officials from using iPhones and foreign-branded devices for work due to cybersecurity concerns. – Security researcher Zuk Avraham highlighted that iPhones are not immune to espionage and have been targeted by sophisticated exploits like 0-click attacks in the past. |
