Zero-Click Vulnerabilities in Apple Operating Systems
- 08/09/2023 --- v1.0 -- Initial publication
In an article published on September 7 2023, Citizen Lab uncovered an actively exploited zero-click vulnerability used to deliver NSO Group's Pegasus spyware on an employee of a Washington DC based civil society organisation . This exploit, named
BLASTPASS could compromise iPhones running the latest iOS version without user interaction. The exploit involved
PassKit attachments containing malicious images sent from an attacker iMessage account to the victim.
Citizen Lab promptly reported their findings to Apple, who issued two CVEs related to this exploit chain (CVE-2023-41064 and CVE-2023-41061). These vulnerabilities have now been patched in iOS, iPadOS, watchOS and macOS.
A buffer overflow issue was addressed with improved memory handling. This issue is fixed in macOS Ventura 13.5.2, iOS 16.6.1 and iPadOS 16.6.1. Processing a maliciously crafted image may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited .
A validation issue was addressed with improved logic. This issue is fixed in watchOS 9.6.2, iOS 16.6.1 and iPadOS 16.6.1. A maliciously crafted attachment may result in arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited .
MacOS Ventura, watchOS, iOS and iPadOS devices.
CERT-EU strongly recommends to update Apple devices.
Users who may face increased risk because of who they are or what they do could enable
Lockdown Mode .