Citizen Lab discovered two no-click zero-day vulnerabilities while checking an unidentified individual’s device, which was delivering mercenary spyware from NSO Group’s Pegasus.
Citizen Lab disclosed this information to Apple immediately and has assisted with the investigation. Apple, in turn, added two CVEs to this exploit chain: CVE-2023-41064 and CVE-2023-41061.
Researchers at Citizen Lab are calling the exploit chain “Blastpass,” which can compromise iPhones running iOS 16.6.1 and tablets running iPadOS 16.6.1 without any victim interaction. “Processing a maliciously crafted image may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited,” the company said in a statement.
This vulnerability has been addressed in Apple’s most recent round of patches, and researchers recommend users update their devices. Those who are at extremely high risk due to their identity or profession should enable lockdown mode, an extreme protection measure for those who might be targeted in sophisticated digital threats, though few are ever attacked in such a manner.
- SEO Powered Content & PR Distribution. Get Amplified Today.
- PlatoData.Network Vertical Generative Ai. Empower Yourself. Access Here.
- PlatoAiStream. Web3 Intelligence. Knowledge Amplified. Access Here.
- PlatoESG. Automotive / EVs, Carbon, CleanTech, Energy, Environment, Solar, Waste Management. Access Here.
- PlatoHealth. Biotech and Clinical Trials Intelligence. Access Here.
- ChartPrime. Elevate your Trading Game with ChartPrime. Access Here.
- BlockOffsets. Modernizing Environmental Offset Ownership. Access Here.
- Source: https://www.darkreading.com/vulnerabilities-threats/apple-hit-by-two-no-click-zero-days-in-blastpass-exploit-chain