Zero-Click Exploit in iPhones

Make sure you update your iPhones:

Citizen Lab says two zero-days fixed by Apple today in emergency security updates were actively abused as part of a zero-click exploit chain (dubbed BLASTPASS) to deploy NSO Group’s Pegasus commercial spyware onto fully patched iPhones.

The two bugs, tracked as CVE-2023-41064 and CVE-2023-41061, allowed the attackers to infect a fully-patched iPhone running iOS 16.6 and belonging to a Washington DC-based civil society organization via PassKit attachments containing malicious images.

“We refer to the exploit chain as BLASTPASS. The exploit chain was capable of compromising iPhones running the latest version of iOS (16.6) without any interaction from the victim,” Citizen Lab said.

“The exploit involved PassKit attachments containing malicious images sent from an attacker iMessage account to the victim.”

Posted on September 13, 2023 at 7:13 AM8 Comments


Clive Robinson September 13, 2023 12:43 PM

@ Fazal Majid,

“apart from the general decline in Apple quality control”

I’m not sure it has declined.

However I would agree it’s not risen in line with complexity…

Nick Alcock September 13, 2023 2:20 PM

I believe this is the same libwebp bug that triggered a Chrome security release yesterday. Upstream libwebp commit 902bc9190331343b2017211debcec8d2ab87e17a, requiring a cunningly corrupted Huffman table. (Not the sort of thing a fuzzer would be likely to find.)

iHack September 13, 2023 2:32 PM

With greater complexity comes greater vulnerability.

So despite Apple’s claims that the iPhone is the “most secure phone” commercially available, they are in fact no more secure that Android or others.

I wonder if Tim Cook regularly checks his personal iPhone(s) for Pegasus and other similar spyware. He’d certainly be a choice target given the proprietary corp info he has access to.

Jon (a different Jon) September 13, 2023 7:58 PM

Someone paid an awful lot of money for a lot of copies of NSO’s ‘Pegasus’.

Or rampant piracy? I doubt it. J.

ResearcherZero September 14, 2023 1:09 AM

“On February 11, one day after Pegasus hijacked Timchenko’s iPhone, she and Kolpakov joined other representatives of Russia’s exiled independent media in Berlin at a confidential seminar organized by the Redkollegia journalistic prize committee. Media managers and lawyers attended the private conference to discuss the legal aspects of operating in Russia under the conditions of total state censorship and the mass persecution of journalists and activists.”

While Pegasus is designed to obfuscate which customer is behind a particular attack, making it difficult for investigators to attribute, there are three main theories of which state is likely behind the attack:

E.U. states — primarily Estonia, Germany, or Latvia, who are suspected Pegasus users;

Russia-allied states that are also suspected Pegasus users — primarily Azerbaijan, Kazakhstan, or Uzbekistan; and



Vles September 22, 2023 8:41 AM

Preface: I’ve been recovering from major illness that has kept me silent for many years. I used to read this blog with interest and passion. I’ve started that again, albeit take it in a morsel at a time.

I use such a device. Do I need to apologise for that to the people that know better than I and tell me I’m stupid for doing so? What technology to trust? Regular information such as this device has X vulnerability makes me feel there’s no value in being spontaneous anymore on the internet and communicating with people because every device and ICT infrastructure is exploited at some point in time and to some degree. Also, having to second guess every spontaneous act kills creativity, and makes the world a less hospitable place imho. Before you do anything, remember your OpSec and CYA! (Cover Your Ass) – what a way to live.

I hold integrity, honesty, transparency, resiliency in high regard. I hope the people that design and create these technologies that we use on the net do so too. I share, because I want to connect with people, not be exploited by the wrong people. When it comes to entrusting parts of my psyche and persona to a spot on the internet, I feel everytime I need to take a leap of faith. I know I’m not perfect. Here I have been living a good part of my life fearful of THAT moment someone comes to visit me and exploits my vulnerabilities, because of something I said or wrote or posted. I choose not to be fearful anymore. Better to learn how to deal with the intimidators and interrogaters and baddies than cower away. It’s taken me many years to own up to myself.

(Dylan Moran) — ‘Why do I even dare to think I could dream I could imagine I could hope…?’

…for a world, where everyone can be vulnerable and honest, without fear of repression, intimidation, exploitation, manipulation?

P.S.: Yes, I have a weak spot for redheads and I also love the brunettes with the sun behind them and the coppery glow surrounding them. There just a thing of beauty and a preference, but I don’t discriminate based on haircolor. My safe word is ‘apples’, but you knew all of that already.

Hello World,

from Vlissingen, NL (Vles)

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.