Posted 25 days ago
“We urge everyone to immediately update their devices,” said researchers with Toronto-based Citizen Lab. The security gap, along with another vulnerability discovered by Apple, could be used by NSO’s flagship spyware Pegasus to surreptitiously gather everything on the target’s device—evading the encrypted protections of messaging apps like Signal or WhatsApp—even if they never clicked a link or installed software. “Last week, while checking the device of an individual employed by a Washington DC-based civil society organization with international offices, [we] found an actively exploited zero-click vulnerability being used to deliver NSO Group’s Pegasus mercenary spyware,” researchers for Citizen Lab said in its report. The exploit “was capable of compromising iPhones running the latest version of iOS (16.6) without any interaction from the victim.”
Malicious use of ApplePay and imagesThe first vulnerability, CVE-2023-41064, relates to a validation problem in the Wallet framework and can be exploited if a device is sent a “maliciously crafted attachment.” Citizen Lab called the exploit chain BLASTPASS, because it involved PassKit, a framework that allows developers to include Apple Pay in their apps. The second vulnerability, disclosed by Apple as CVE-2023-41061, is a buffer overflow issue in the Image I/O framework that can be attacked when processing “a maliciously crafted image,” Apple said. Citizen Lab said it had “immediately disclosed our findings to Apple and assisted in their investigation.” Apple said in a statement it was “aware of a report that this issue may have been actively exploited,” but declined to comment more. The company has previously touted a system to send alerts to users impacted by government-backed hacking campaigns.
Citizen Lab also said it encourages “everyone who may face increased risk because of who they are or what they do to enable Lockdown Mode,” an iOS and MacOS feature that implements additional security features. Apple’s Security Engineering and Architecture team confirmed to Citizen Lab that the setting blocks this particular attack. Apple issued its new security patches—for iOS, macOS Ventura, iPadOS and watchOS—as part of regular updates, not as a Rapid Security Response, the term Apple uses for urgent bug fixes. Including the new Pegasus exploits, the company has now patched 13 zero-days in 2023. “This latest find shows once again that civil society is targeted by highly sophisticated exploits and mercenary spyware,” Citizen Lab wrote. “Apple’s update will secure devices belonging to regular users, companies and governments around the globe. The BLASTPASS discovery highlights the incredible value to our collective cybersecurity of supporting civil society organizations.”
The secretive Herzliya-based company designed Pegasus to be delivered to unsuspecting targets’ iPhones through innocuous-looking links, messages, or WhatsApp calls; without users’ knowledge, their phones could be quietly owned by high-paying government clients. NSO says it only sells Pegasus and other weapons to vetted law enforcement agencies, and has no visibility into its clients’ targets, but it has a history of selling to governments with dubious rights records. Its zero-click spyware has been found on the phones of government officials, human rights workers, journalists, activists, academics, and business people from the UAE to Mexico and the U. S. In 2018, Pegasus was reportedly used by Saudi Arabia to target Washington Post journalist Jamal Khashoggi ahead of his state-ordered killing.In May, researchers from Amnesty International and other advocacy groups alleged that Pegasus was used to target several dozen Armenian activists’ and journalists’ smartphones during the country’s conflict with Azerbaijan between 2020 and 2022. Some of the hacking allegedly occurred after NSO was put on a U.S. blacklist in 2021. Other NSO exploits in Apple software were discovered by Citizen Lab in April. Following dogged research by Citizen Lab, tech companies, and journalists, regulators have attempted to prevent the spread of Pegasus, with the European Parliament urging EU member nations to ban it. EU lawmakers last year opened a spyware inquiry after Pegasus was found on phones associated with the British and Spanish prime ministers, Spain’s defense minister, and dozens of Catalan politicians and members of civil society groups. In August, Israel said it had set up a commission to investigate whether police had misused spyware, including Pegasus, during criminal investigations.... (Read more)