Security News > 2023 > September > Apple zero-click iMessage exploit used to infect iPhones with spyware
Citizen Lab says two zero-days fixed by Apple today in emergency security updates were actively abused as part of a zero-click exploit chain to deploy NSO Group's Pegasus commercial spyware onto fully patched iPhones.
The two bugs, tracked as CVE-2023-41064 and CVE-2023-41061, allowed the attackers to infect a fully-patched iPhone running iOS 16.6 and belonging to a Washington DC-based civil society organization via PassKit attachments containing malicious images.
"We refer to the exploit chain as BLASTPASS. The exploit chain was capable of compromising iPhones running the latest version of iOS without any interaction from the victim," Citizen Lab said.
"The exploit involved PassKit attachments containing malicious images sent from an attacker iMessage account to the victim."
Apple and Citizen Lab security researchers discovered the two zero-days in the Image I/O and Wallet frameworks.
iPad Pro, iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later.
News URL
Related news
- Apple: Mercenary spyware attacks target iPhone users in 92 countries (source)
- Apple Alerts iPhone Users in 92 Countries to Mercenary Spyware Attacks (source)
- GoFetch security exploit can't be disabled on M1 and M2 Apple chips (source)
- Apple Updates Spyware Alert System to Warn Victims of Mercenary Attacks (source)
- Apple stops warning of 'state-sponsored' attacks, now alerts about 'mercenary spyware' (source)
- Chinese-Linked LightSpy iOS Spyware Targets South Asian iPhone Users (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-09-07 | CVE-2023-41064 | Classic Buffer Overflow vulnerability in Apple Ipados and Iphone OS A buffer overflow issue was addressed with improved memory handling. | 7.8 |
| 2023-09-07 | CVE-2023-41061 | Unspecified vulnerability in Apple Ipados A validation issue was addressed with improved logic. | 7.8 |