Apple has released security updates for old iPhones in order to address a zero-day vulnerability, identified as CVE-2023-41064, which was exploited by the NSO PEGASUS group for spyware purposes.
The vulnerability, CVE-2023-31064, allows for remote code execution and is utilized to distribute malware through iMessage.
According to Citizen Lab, earlier this month, these two vulnerabilities, CVE-2023-31064 and CVE-2023-41061, were part of a Zero-Click attack chain called Blastpass. The attack involved sending specially crafted images through iMessage’s PassKit, which, when processed, installed the NSO’s Pegasus spyware on iPhones, even those running the latest iOS version, 16.6.
Apple has addressed these security weaknesses by providing updates for MacOS Ventura 13.5.2, iOS 16.6.1, iPados 16.6.1, and Watchos 9.6.2. The security updates have now also been extended to cover iOS 15.7.9, iPados 15.7.9, Macos Monteerey 12.6.9, and Macos Big Sur 11.7.10, in order to prevent the exploitation of these vulnerabilities on the respective devices. [1] [2] [3]
The security updates cover a range of Apple devices, including the iPhone 6s, iPhone 7, the first generation of iPhone SE, iPad Air 2, the fourth generation of iPad Mini, and the seventh generation iPod Touch. Although there have been no reported attacks on MacOS computers utilizing these vulnerabilities, it is strongly advised to install the security updates as a precautionary measure. [4]
These vulnerabilities were used to target civil society representatives in Washington, including various organizations, groups, and individuals advocating for different segments of the population, operating independently from the state. [5]
| References: | |
|---|---|
| [1] Apple Support – Security Updates | https://support.apple.com/ru-ru/ht201222 |
| [2] Apple Support |