Apple has patched two critical zero-day vulnerabilities exploited in the wild to deliver eavesdropping malware from a notorious commercial spyware maker.
Non-profit Citizen Lab confirmed that it discovered the “BlastPass” exploit chain last week after checking the device of “an individual employed by a Washington DC-based civil society organization with international offices.”
It reported its findings to Apple, which promptly issued two CVEs related to the exploit chain: CVE-2023-41064 and CVE-2023-41061. It has now remediated them in an update.
Citizen Lab claimed that the exploits were used to deliver the Pegasus spyware from blacklisted Israeli firm NSO Group.
“The exploit chain was capable of compromising iPhones running the latest version of iOS (16.6) without any interaction from the victim,” it explained.
“The exploit involved PassKit attachments containing malicious images sent from an attacker iMessage account to the victim.”
Read more on commercial spyware: Tech Industry Bids to Tackle Cyber-Mercenary Epidemic
NSO Group is one of many commercial developers of spyware, which operate in a legal grey area. They claim to sell their wares only for legitimate national security and law enforcement purposes, but in reality, many of these exploits and malware variants are used by autocratic regimes to spy on journalists, civil rights activists, dissidents and others.
NSO group is being sued by both Apple and Meta for spyware attacks on their users which deployed Pegasus.
In 2021, the Biden administration placed NSO Group on an export blacklist designed to prevent it from buying components from America. However, there are many other companies offering similar services around the world.
That’s why, in March 2023, the US President issued an executive order banning government use of any commercial spyware that has previously been misused by foreign states to spy on citizens, dissidents, activists and others.
Citizen Lab passed on information from Apple claiming that iOS devices in lockdown mode are protected from BlastPass. However, all users are urged to update their devices.
Editorial image credit: Framesira / Shutterstock.com