Apple patches Blastpass exploit abused by spyware makers

Apple has moved to patch two zero-click, zero-day vulnerabilities – tracked as CVE-2023-41064 and CVE-2023-41061 – in its mobile operating system, which have allegedly been used by disgraced Israeli cyber software company NSO Group in its Pegasus spyware product sold to repressive governments.

The first, CVE-2023-41064, is a buffer overflow issue in Image I/O whereby a threat actor may achieve arbitrary code execution by getting the target device to process a maliciously crafted image. It affects iPhone 8 and later, all iPad Pros, iPad Air third generation and later, iPad fifth generation and later, and iPad mini fifth generation and later, and was discovered by Citizen Lab at the University of Toronto’s Munk School, a group of researchers and privacy experts who first exposed NSO’s practices in the summer of 2021

The second, CVE-2023-41061, is a validation issue in Wallet whereby a threat actor may use a maliciously crafted attachment to achieve arbitrary code execution. It affects the same family of devices, and was discovered via Apple itself.

At the same time, Citizen Lab published its own disclosure notice revealing that together, the two vulnerabilities form an exploit chain it has dubbed Blastpass.

Citizen Lab confirmed the chain was capable of compromising iPhones running version 16.6 of iOS, the latest version, without any interaction from the victim.

The team said that it found the vulnerabilities while examining a device owned by an employee of a Washington DC based NGO.

Citizen Lab urged all iPhone owners to update their devices immediately, and any who may face increased risk – such as activists, journalists, politicians and public figures – to consider enabling Apple’s Lockdown Mode feature, which it has been confirmed blocks the attack chain.

“We commend Apple for their rapid investigative response and patch cycle, and we acknowledge the victim and their organisation for their collaboration and assistance,” said Citizen Lab. “This latest find shows once again that civil society is targeted by highly sophisticated exploits and mercenary spyware.”

Quite aside from their use to spread spyware for government monitoring, the presence of vulnerabilities in core Apple frameworks such as Image I/O and Wallet poses a significant risk for any user, as Klaus Schenk, senior vice-president of security and threat research at Verimatrix, explained.

“Successful exploitation could allow attackers to run malicious code on affected iPhones, iPads, and Macs. The impact depends on the level of access and isolation of the targeted applications. For example, if the Wallet app is compromised, that enables significant damage given its access to sensitive user financial information,” he said.

“These types of vulnerabilities demonstrate the importance of proper app security design like sandboxing and process separation to contain potential damage. App monitoring and analysis capabilities can also help platforms detect and respond quickly to abnormal behavior indicative of an attack.

“Users should install Apple’s emergency updates immediately to patch the flaws. Caution opening email attachments and random images is warranted given reports these may be attack vectors. Enabling automatic updates can help ensure devices stay current,” added Schenk.