Apple has fixed two zero-day vulnerabilities actively being used to deliver Israel-based NSO Group’s Pegasus spyware on iPhones.
Internet watchdog group Citizen Lab, while checking the device of an individual employed by a Washington DC-based civil society organisation with international offices, found the zero-click vulnerability.
“The exploit chain was capable of compromising iPhones running the latest version of iOS (16.6) without any interaction from the victim,” Citizen Lab said in a statement late on Thursday.
They refered to the exploit chain as ‘BLASTPASS’. The exploit involved PassKit attachments containing malicious images sent from an attacker iMessage account to the victim.
Citizen Lab immediately disclosed our findings to Apple and assisted in their investigation.
Apple issued two CVEs related to this exploit chain (CVE-2023-41064 and CVE-2023-41061).
“We would like to acknowledge The Citizen Lab at The University of Torontoʼs Munk School for their assistance,” said the tech giant.
Citizen Lab has urged everyone to immediately update their devices.
“We encourage everyone who may face increased risk because of who they are or what they do to enable Lockdown Mode,” the researchers said.
Apple’s update will secure devices belonging to regular users, companies, and governments around the globe.
“The ‘BLASTPASS’ discovery highlights the incredible value to our collective cybersecurity of supporting civil society organizations,” said the watchdog.