Apple on Thursday released software updates addressing a couple of zero-day vulnerabilities that were used to deliver the NSO Group’s Pegasus spyware. At least one device has been compromised by the mercenary spyware by exploiting the zero-day bugs.
Last week, while checking the device of an individual employed by a Washington DC-based civil society organization with international offices, Citizen Lab found an actively exploited zero-click vulnerability being used to deliver NSO Group’s Pegasus mercenary spyware.Citizen Lab cybersecurity researchers
Users Urged to Update Their Devices
Referred to as “BLASTPASS”, the exploit chain has been identified as a zero-day, zero-click vulnerability. This means it could be used to compromise iPhones running on the latest version of iOS, i.e., v16.6, without requiring any interaction from the victim.
Commenting on both bugs, Apple stated that it was already “aware of a report that this issue may have been actively exploited”.
The first vulnerability, which has been identified as CVE-2023-41064, rendered iPhones and other Apple devices like iPads, Macs, and Apple Watches vulnerable to attacks while processing maliciously crafted images. This bug specifically impacts the Image I/O framework.
The other bug, tracked as CVE-2023-41061, was found in the company’s Wallet function.
It would cause security issues when a “maliciously crafted attachment” is sent to the victim’s device. Citizen Lab revealed that they reported the vulnerabilities to Apple immediately and helped the tech giant investigate.
Acknowledging the Citizen Lab’s assistance, Apple urged users to immediately update their devices to the latest version of iOS. The patch fixing the bug for macOS Ventura, iOS, iPadOS, and watchOS devices was rolled out on Thursday.
Notably, Apple released the patch as a part of regular updates rather than a Rapid Security Response. The update will secure Apple devices owned by individuals, companies, and governments all over the world.
What Is the Pegasus Spyware?
The spyware delivered by exploiting the zero-day bugs, Pegasus, has been developed by Israel-based cyber-intelligence firm NSO Group Technologies.
Designed to infiltrate both Android and iOS devices, Pegasus has been widely used to spy on journalists, political leaders, and activists around the world since its initial development in 2011.
While an average person isn’t usually targeted using the Pegasus spyware, it’s a popular choice for spying on high-profile individuals.
Notable victims include human rights investigators in Mexico, members of the Catalan Independence Movement, and assassinated Saudi journalist Jamal Khashoggi.
Governments and intelligence agencies have been known to use this zero-click spyware to target various individuals, especially potential dissidents.
Regulators have recently been trying to stem the spread of the malicious spyware. Earlier this year, US President Joe Biden signed an executive order that blocks the use of Pegasus by the government. The EU, too, saw member nations being urged by the European Parliament to ban the spyware.
So far, the tech giant has patched as many as 13 zero-day vulnerabilities this year. Previously, in June, Apple fixed two other bugs that had been exploited to conduct a spyware campaign that the Russian government blamed on the US.
The campaign was detected by Moscow-based cybersecurity firm Kaspersky. Another zero-day bug forced Apple to roll out a Rapid Security Response patch in July.