In the wake of a Citizen Lab report on 7 September revealing the active exploitation of a zero-day vulnerability to deploy NSO Group's Pegasus mercenary spyware on an Apple device, Apple issued two critical Common Vulnerabilities and Exposures (CVEs) to address the issue.
On 8 September, Apple issued an advisory disclosing the details of the two zero-day vulnerabilities: CVE-2023-41064 and CVE-2023-41061. Apple acknowledged the gravity of these vulnerabilities, acknowledging that they could have been exploited in the wild, potentially resulting in arbitrary code execution.
The Citizen Lab report linked this exploit chain to an entity dubbed 'BLASTPASS,' capable of compromising iPhones running the latest iOS version (16.6) without requiring any interaction from the victim. The vulnerability was discovered while examining a device belonging to an individual affiliated with a Washington-based civil society organisation with international reach.
Why does it matter?
Apple's zero-day exploits remain highly targeted, typically aimed at specific individuals or groups. These sophisticated attacks are often orchestrated by entities with substantial resources and expertise at their disposal. Failing to patch vulnerable devices promptly could leave individuals or organisations susceptible to exploitation by other malicious actors, potentially leading to wider dissemination of the vulnerabilities. If the details of the exploits were to become public knowledge, it could further exacerbate the situation, enabling other groups to employ similar tactics.
Security experts emphasise that these issues primarily affect individuals or groups under surveillance and encourage those who suspect they are targets of spyware and surveillance to activate Lockdown Mode. The fact that Apple did not employ its Rapid Security Response feature suggests that this threat may not be not widespread, but experts argue that patching remains the best practice in an evolving landscape where zero-day exploits are leveraged to deploy spyware.