Apple addresses zero-day vulnerabilities exploited in recent spyware attack

Apple has successfully patched two zero-day vulnerabilities in its iOS operating system. These flaws were actively exploited in a recent spyware attack that targeted an organization based in the United States. The attack involved the use of the notorious Pegasus spyware developed by the NSO Group. Researchers discovered that the spyware was delivered through malicious images sent as PassKit attachments via iMessage. The vulnerabilities, known as CVE-2023-41064 and CVE-2023-41061, allowed for arbitrary code execution on the affected devices. Apple has fixed these vulnerabilities and released software updates for iOS, iPadOS, macOS, and watchOS.

Details of the exploited iOS zero-day flaws

The first vulnerability, CVE-2023-41064, was a buffer overflow vulnerability in the ImageIO component that allowed an attacker to execute arbitrary code by sending crafted image files. Apple addressed this flaw by improving the memory handling in the affected component. The second vulnerability, CVE-2023-41061, involved a validation issue in the wallet component that allowed for arbitrary code execution when processing a malicious attachment. Apple fixed this issue by enhancing the logic used for processing attachments. These vulnerabilities affected iPhones, iPads, Macs, and Apple Watches.

Apple's response and patching efforts

Following the discovery of the zero-day vulnerabilities, Apple promptly took action to address the security risks. The company released iOS version 16.6.1 and iPadOS version 16.6.1 to patch the vulnerabilities on iPhones and iPads. Additionally, macOS Ventura version 13.5.2 and watchOS version 9.6.2 were released to address the same vulnerabilities on Macs and Apple Watches. Users are strongly advised to update their devices to the latest software versions as soon as possible to mitigate the risks associated with these exploits.

About Pegasus spyware

Pegasus is a highly sophisticated spyware developed by the Israeli firm NSO Group. It is known for targeting iOS devices, particularly iPhones, though it has also been reported to affect Android devices, albeit less frequently. Pegasus is often utilized in state-sponsored attacks and is designed to exploit zero-day vulnerabilities in iOS. Its primary targets are professionals such as journalists, activists, and government officials. The spyware can infect a device through various means, such as a simple message or phone call, without the user's interaction. It operates stealthily, leaving no trace on the infected device and making it difficult to remove using traditional malware removal methods.