Apple has responded to two critical vulnerabilities in its mobile operating system exploited by NSO Group’s Pegasus spyware, with one discovered by Citizen Lab and the other identified by Apple itself, forming an exploit chain called “Blastpass.” The vulnerabilities could potentially allow attackers to run malicious codes on various Apple devices, including compromising sensitive financial data through the Wallet app.
Apple has addressed two major vulnerabilities, named CVE-2023-41064 and CVE-2023-41061, in its mobile operating system. These were reportedly exploited by the NSO Group’s Pegasus spyware. The first issue, discovered by Citizen Lab, involves a buffer overflow in Image I/O, affecting various Apple devices. The second, found by Apple, is a validation problem in the Wallet app. Both vulnerabilities form an exploit chain dubbed “Blastpass.”
Citizen Lab confirmed that the Blastpass chain could compromise iPhones running the latest iOS version without victim interaction. The vulnerabilities were found while inspecting a Washington DC NGO employee’s device. Citizen Lab urges iPhone users to update their devices and consider using Apple’s Lockdown Mode. This feature has been verified to block the attack chain, offering protection especially to individuals at higher risk including activists and journalists.
Klaus Schenk of Verimatrix emphasized the serious risk posed by these vulnerabilities, allowing attackers to execute malicious codes on affected devices. The Wallet app’s compromise could potentially lead to significant damage due to its access to sensitive financial data of users. Schenk advised users to install emergency updates promptly and to be cautious with email attachments and random images, which are potential attack vectors.
The NSO Group, behind the Pegasus spyware, has faced scrutiny for years, with allegations of facilitating surveillance on journalists, lawyers, and officials. The spyware can extract a wide range of data from devices without user knowledge. Previous accusations led to calls for blacklisting NSO, and a lawsuit involving tech giants like Apple and Amazon. Despite the serious allegations and ongoing legal battles, NSO maintains that it operates as a foreign government agent, thereby claiming exemption from lawsuits.