Apple patches two zero-day flaws abused to install the Pegasus spyware

Cupertino swiftly closed two actively exploited bugs discovered in iOS in just a few days


Why it matters: Pegasus is a commercial spyware developed by Israel-based cyber-arms firm NSO Group that seemingly works to "prevent and investigate" terror and crime. However, Pegasus is often used to track, spy, and compromise journalists, activists, political dissidents, and lawyers worldwide.

Watchdog group Citizen Lab recently found two zero-day iPhone vulnerabilities that allow Pegasus spyware a way into the device. The flaws were used to spy on an unnamed individual employed by a Washington DC civil society organization, abusing an exploit chain the researchers referred to as BLASTPASS.

The main exploit compromised PassKit, Apple's framework designed to include the Apple Pay option in third-party apps. It used attachments containing "malicious images" sent through the Messages app as the attack vector. This "zero-click" exploit requires no user interaction, as just receiving the malicious attachment on the latest version of iOS was enough to get infected by the Pegasus spyware.

The BLASTPASS exploit chain was "immediately" disclosed to Apple, and the company quickly went to work on the issue. Apple has now released two security updates for iOS 16.6.1 and iPadOS 16.6.1, acknowledging Citizen Lab's investigation and finding an additional problem related to the main BLASTPASS flaw.

The first bug (CVE-2023-41064) is a buffer overflow issue found in the iOS ImageIO component. Hackers could abuse the flaw by forcing ImageIO to process a maliciously crafted image, leading to arbitrary code execution. Apple fixed the vulnerability by improving ImageIO memory handling.

The second flaw (CVE-2023-41061) was found in Wallet, where a "validation issue" could be manipulated to send malicious attachments designed to allow arbitrary code execution. Apple improved the code's logic to fix the security hole and acknowledged Citizen Lab's assistance.

Analysts say that Lockdown Mode, Apple's extra-secure option to limit attack surface on iPhone and iPad, will block the BLASTPASS exploit chain. Citizen Lab commended Apple for the rapid "investigative response" and patch cycle.

The incident also highlights how routinely bad actors use "mercenary spyware" like NGO's Pegasus to target government employees and other civil society members. Apple updates are designed to secure devices belonging to regular users, companies, and governments. Citizen Lab notes that the BLASTPASS discovery highlights the "incredible value" of supporting civil society organizations with collective cyber-security measures.