Apple has released security updates for iOS, iPadOS, macOS, and watchOS that address zero-day vulnerabilities that could be used to deliver malware and spyware “maliciously prepared image” or attachments in another format.
The vulnerabilities are fixed in Apple iOS 16.6.1, iPadOS 16.6.1, macOS 13.5.2 and watchOS 9.6.2 updates. There were no updates for older versions – iOS 15 and macOS 12.
Vulnerabilities CVE-2023-41064 and CVE-2023-41061 discovered at the Citizen Lab of the University of Toronto Munch School of Global Affairs and Public Policy – they have been given the generic designation BLASTPASS. Software bugs pose a fairly serious threat: for an attack, it is enough to simply send a special image or an attachment in a different format to the user via iMessage, which will be downloaded to the victim’s device – there were no further actions on the Device required part of user to infect the device. Therefore, such vulnerabilities belong to the zero-click class.
Citizen Lab added that the BLASTPASS vulnerability exists “Used to install NSO Group’s Pegasus spyware” – An Israeli developer has a full set of exploits to attack iOS and Android devices. To protect itself from such vulnerabilities, even if they have not yet been discovered and fixed, Apple has implemented what is known as “lockdown mode” in iOS and macOS – this blocks many types of attachments in particular and disables the link preview, thus preventing such exploits Mistake.