Security News > 2023 > September > Apple Rushes to Patch Zero-Day Flaws Exploited for Pegasus Spyware on iPhones
Apple on Thursday released emergency security updates for iOS, iPadOS, macOS, and watchOS to address two zero-day flaws that have been exploited in the wild to deliver NSO Group's Pegasus mercenary spyware.
In a separate alert, Citizen Lab revealed that the twin flaws have been weaponized as part of a zero-click iMessage exploit chain named BLASTPASS to deploy Pegasus on fully-patched iPhones running iOS 16.6.
"The exploit chain was capable of compromising iPhones running the latest version of iOS without any interaction from the victim," the interdisciplinary laboratory said.
The latest updates also arrive more than a month after the company shipped fixes for an actively exploited kernel flaw.
News of the zero-days comes as the Chinese government is believed to have ordered a ban prohibiting central and state government officials from using iPhones and other foreign-branded devices for work in an attempt to reduce reliance on overseas technology and amid an escalating Sino-U.S. trade war.
"The real reason is: cybersecurity," Zuk Avraham, security researcher and founder of Zimperium, said in a post on X. "iPhones have an image of being the most secure phone... but in reality, iPhones are not safe at all against simple espionage."
News URL
https://thehackernews.com/2023/09/apple-rushes-to-patch-zero-day-flaws.html
Related news
- Apple Releases Urgent Updates to Patch Actively Exploited Zero-Day Vulnerabilities (source)
- New LightSpy Spyware Version Targets iPhones with Increased Surveillance Tactics (source)
- Microsoft November 2024 Patch Tuesday fixes 4 zero-days, 91 flaws (source)
- Microsoft November 2024 Patch Tuesday fixes 4 zero-days, 89 flaws (source)
- Apple fixes two zero-days used in attacks on Intel-based Macs (source)
- Apple fixes 2 zero-days exploited to breach macOS systems (CVE-2024-44309, CVE-2024-44308) (source)
- Apple Patches Two Zero-Day Attack Vectors (source)
- New Windows zero-day exposes NTLM credentials, gets unofficial patch (source)
- Microsoft December 2024 Patch Tuesday fixes 1 exploited zero-day, 71 flaws (source)
- New Android NoviSpy spyware linked to Qualcomm zero-day bugs (source)