The US Cybersecurity and Infrastructure Security Agency (CISA) has given federal agencies less than a month to update their iOS, iPadOS and macOS devices in order to mitigate the risk of spyware attacks.
CISA added two recently discovered Apple zero-day flaws to its Known Exploited Vulnerabilities Catalog, stating that agencies have until October 2 to patch them through official vendor updates, or else discontinue using the products.
CVE-2023-41064 is described as a buffer overflow vulnerability in ImageIO, which occurs when processing a maliciously crafted image and may lead to code execution. It is chained with CVE-2023-41061, a validation issue in Apple Wallet in which a maliciously crafted attachment may result in code execution.
The bugs were discovered by Citizen Lab last week after the non-profit warned that they were used in an exploit chain it dubbed “BlastPass,” to deliver the notorious Pegasus spyware to an employee of a Washington-based civil society organization.
Read more on Pegasus: Spanish Ombudsman to Probe Pegasus Spyware Claims
Citizen Lab claimed the exploit used PassKit attachments containing malicious images sent via iMessage.
It’s unclear who authorized the attacks on that individual, but if it’s a hostile nation, the concern will be that they could also be used to target US government officials.
Back in 2021, reports revealed that nine US State Department officials had their iPhones remotely hacked by spyware from the same source: controversial commercial malware developer NSO Group.
Apple is suing the Israeli firm in a bid to hold it accountable for the actions of some unscrupulous clients. NSO Group has always maintained that it only sells its wares for legitimate law enforcement and intelligence gathering purposes.
NSO Group was also put on a US Entity List back in 2021, theoretically making it harder for the firm to get hold of American components or work with US partners.