Zero-Click Exploit in iPhones

Citizen Lab says two zero-days fixed by Apple today in emergency security updates were actively abused as part of a zero-click exploit chain (dubbed BLASTPASS) to deploy NSO Group’s Pegasus commercial spyware onto fully patched iPhones.

The two bugs, tracked as CVE-2023-41064 and CVE-2023-41061, allowed the attackers to infect a fully-patched iPhone running iOS 16.6 and belonging to a Washington DC-based civil society organization via PassKit attachments containing malicious images.

“We refer to the exploit chain as BLASTPASS. The exploit chain was capable of compromising iPhones running the latest version of iOS (16.6) without any interaction from the victim,” Citizen Lab said.

“The exploit involved PassKit attachments containing malicious images sent from an attacker iMessage account to the victim.”

Tags: Apple, exploits, iOS, iPhone, spyware, vulnerabilities

Posted on September 13, 2023 at 7:13 AM • 7 Comments

Comments

Fazal Majid • September 13, 2023 10:03 AM

That’s why Google wrote a secure parser for file formats, Wuffs:

https://github.com/google/wuffs

A ridiculous number of iOS vulnerabilities stem from parsers, apart from the general decline in Apple quality control, they are also clearly not fuzzing their code adequately.

Clive Robinson • September 13, 2023 12:43 PM

@ Fazal Majid,

“apart from the general decline in Apple quality control”

I’m not sure it has declined.

However I would agree it’s not risen in line with complexity…

Nick Alcock • September 13, 2023 2:20 PM

I believe this is the same libwebp bug that triggered a Chrome security release yesterday. Upstream libwebp commit 902bc9190331343b2017211debcec8d2ab87e17a, requiring a cunningly corrupted Huffman table. (Not the sort of thing a fuzzer would be likely to find.)

iHack • September 13, 2023 2:32 PM

With greater complexity comes greater vulnerability.

So despite Apple’s claims that the iPhone is the “most secure phone” commercially available, they are in fact no more secure that Android or others.

https://meduza.io/en/feature/2023/09/13/the-million-dollar-reporter

I wonder if Tim Cook regularly checks his personal iPhone(s) for Pegasus and other similar spyware. He’d certainly be a choice target given the proprietary corp info he has access to.

Jon (a different Jon) • September 13, 2023 7:58 PM

Someone paid an awful lot of money for a lot of copies of NSO’s ‘Pegasus’.

Or rampant piracy? I doubt it. J.

ResearcherZero • September 14, 2023 1:09 AM

“On February 11, one day after Pegasus hijacked Timchenko’s iPhone, she and Kolpakov joined other representatives of Russia’s exiled independent media in Berlin at a confidential seminar organized by the Redkollegia journalistic prize committee. Media managers and lawyers attended the private conference to discuss the legal aspects of operating in Russia under the conditions of total state censorship and the mass persecution of journalists and activists.”

While Pegasus is designed to obfuscate which customer is behind a particular attack, making it difficult for investigators to attribute, there are three main theories of which state is likely behind the attack:

E.U. states — primarily Estonia, Germany, or Latvia, who are suspected Pegasus users;


Russia-allied states that are also suspected Pegasus users — primarily Azerbaijan, Kazakhstan, or Uzbekistan; and

Russia.

‘https://www.accessnow.org/press-release/exiled-russian-media-pegasus/

Michael Richardson • September 15, 2023 5:33 PM

Why is the image parser running with a privilege that allows it to install new apps? Why is any app allowed that is spyware?

Zero-Click Exploit in iPhones

Comments

Leave a comment Cancel reply