Civil Society organization, Citizen Lab discovered a zero-click vulnerability on Apple devices. The vulnerability allows Pegasus mercenary spyware to infiltrate devices.
Zero-click means the spyware is able to infiltrate iPhones without any interaction from Apple users. This means victims need not click or tap on any attachment to activate it. Even more concerning, is fact the vulnerability compromises iPhones running the latest version of iOS (16.6).
Consequently, Citizens Lab reported the matter to Apple and worked with the company to investigate the exploit. As a result, Apple released an update on Thursday. The update is for all Apple products including iPhones, iPads, Mac computers, and Apple Watches.
Hence, all users are immediately urged to update their devices.
Two Different Spyware Detected
“The exploit involved PassKit attachments containing malicious images sent from an attacker iMessage account to the victims”: wrote the Citizen Lab. The first spyware tracked as CVE-2023-41064, allowed devices to become vulnerable to attack when processing “a maliciously crafted image,” Apple said. It affects the Image I/O framework, specifically.
Another bug, CVE-2023-41061, causes security vulnerability if a device is sent a “maliciously crafted attachment.”. This vulnerability was detected in the company’s Wallet function.
It’s not the first time this year Apple has disclosed zero-clicks used in spyware campaigns: Two bugs fixed in June were exploited in a campaign that the Russian government blamed on the USA.
The Pegasus bug is linked to the company NSO Group. In 2021, the Biden administration placed the group on an export prohibition list for allegedly selling spyware to foreign governments that use the tools to violate human rights and stifle dissent. Reports allege the spyware was deployed to target assassinated Saudi journalist Jamal Khashoggi.
Citizen Lab is an organization that investigates government spyware. The group is concerned that the latest find indicates that civil society is targeted by highly sophisticated exploits and mercenary spyware. The exploit had infiltrated one of their employee’s iPhones.