On Thursday, Apple issued software updates to address two previously undisclosed vulnerabilities that cybersecurity researchers claim were employed to distribute the NSO Group’s Pegasus spyware to at least one target.
According to cybersecurity experts from The University of Toronto’s Citizen Lab, all Apple device users should promptly update their operating systems to rectify these flaws.
Citizen Lab stumbled upon an actively exploited zero-click vulnerability, utilized to deliver NSO Group’s Pegasus spyware, while examining the device of an individual associated with a Washington DC-based civil society organization with global operations.
This exploit chain had the capability to compromise iPhones running the most recent iOS version (16.6) without requiring any interaction from the user.
One of these vulnerabilities, identified as CVE-2023-41064, made devices, including certain iPhones, iPads, Macs, and Apple Watches, susceptible to attacks when processing a “maliciously crafted image,” specifically affecting the Image I/O framework.
The other vulnerability, CVE-2023-41061, posed similar security risks when a device received a “maliciously crafted attachment” in the context of the company’s Wallet feature.
Apple acknowledged that it was “aware of a report suggesting that this issue may have been actively exploited,” but did not provide further details.
Citizen Lab promptly disclosed its findings to Apple and collaborated on the investigation.
These software updates encompass macOS Ventura, iOS, iPadOS, and watchOS, and were released as part of the routine updates for these products, rather than being labeled as a Rapid Security Response, which denotes bug fixes issued urgently between full OS updates.
Apple has now patched a total of 13 zero-day vulnerabilities in 2023 with the disclosure of these two vulnerabilities.
Pegasus, which was first developed in 2011, has been utilized globally, often by governments for surveillance on their citizens. It has been used to target individuals such as the assassinated Saudi journalist Jamal Khashoggi, members of the Catalan independence movement, and human rights investigators in Mexico.
Regulators have taken steps in recent years to curb its proliferation, with the European Parliament urging EU member states to ban it. Additionally, U.S. President Joe Biden signed an executive order earlier this year prohibiting the government’s use of commercial spyware.
This isn’t the first time this year that Apple has disclosed zero-days allegedly exploited in spyware campaigns. In June, two bugs were fixed and were reportedly exploited in a campaign that the Russian government attributed to the U.S. Furthermore, in July, a separate Rapid Security Response had to be reissued by Apple after the initial patch caused issues with certain websites not displaying correctly.