Apple updates older iPhone models with the BLASTPASS zero-day remedy.

Apple backports BLASTPASS zero-day fix to older iPhones

0 36

In order to address a zero-day vulnerability identified as CVE-2023-41064 that was being actively used to infect iOS devices with NSO’s Pegasus spyware, Apple distributed security upgrades for older iPhone models.

A remote code execution vulnerability called CVE-2023-41064 can be used by delivering iMessages with maliciously generated graphics.

As previously revealed by Citizen Lab earlier this month, BLASTPASS is a zero-click attack chain that requires delivering specially generated pictures in iMessage PassKit attachments to install spyware. CVE-2023-41064 and a second bug listed as CVE-2023-41061 were employed in this attack.

Even on fully patched iOS (16.6) devices, the phones installed NSO’s Pegasus spyware when they received and processed the file.

The two vulnerabilities in macOS Ventura 13.5.2, iOS 16.6.1, iPadOS 16.6.1, and watchOS 9.6.2 have been fixed by Apple, and CISA has issued a notice mandating that government entities apply the patches by October 2, 2023.

In order to stop this attack chain from being used on iOS 15.7.9 and iPadOS 15.7.9, macOS Monterey 12.6.9, and macOS Big Sur 11.7.10, the security upgrades have now been backported to those devices.

Although the vendor continues to support Big Sur and Monterey, it’s important to note that support for iOS 15 ended a year ago in September 2022.

All iPhone 6s models, the iPhone 7, the iPad Air 2, the fourth generation of the iPad mini, the first generation of the iPhone SE, and the seventh generation of the iPod touch are all covered by the security upgrades.

It is highly advised to deploy the security patches even if no assaults have been seen on macOS systems, as the weakness is technically exploitable there as well.

Apple has patched 13 zero-day vulnerabilities that were used to target iOS, macOS, iPadOS, and watchOS devices since the year’s beginning, including:

  • Two zero-days (CVE-2023-37450 and CVE-2023-38606) in July
  • Three zero-days (CVE-2023-32434, CVE-2023-32435, and CVE-2023-32439) in June
  • Three more zero-days (CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373) in May
  • Two zero-days (CVE-2023-28206 and CVE-2023-28205) in April
  • A WebKit zero-day (CVE-2023-23529) in February
Leave A Reply

Your email address will not be published.