Advisory ID: NCC-CSIRT-130923-034
Summary: Researchers at Citizen Lab have identified zero-click exploits, which are exploits requiring no user interaction, that target two recently patched zero-day vulnerabilities in Apple's systems. A successful exploitation of these vulnerabilities could lead to the deployment of the Pegasus commercial spyware developed by the NSO Group onto iPhones, even those that have been fully updated with the latest security patches. NSO stands for Niv, Shalev, and Omri, and it is an Israeli cyber-intelligence company renowned for its proprietary spyware known as Pegasus. Pegasus is notorious for its capability to conduct remote, zero-click surveillance on smartphones.
Threat Type(s): Spyware
Impact/Vulnerability: HIGH/CRITICAL
Product(s): iPhone, iPad, Macs, and Apple Watch
Platform(s): Apple Operating System
Version(s):
- iPhone 8 and later
- iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later
- Macs running macOS Ventura
- Apple Watch Series 4 and later
Description: According to the researchers' findings, this exploit revolves around malicious images embedded in PassKit attachments. These harmful images are sent from an attacker's iMessage account to the victim. Furthermore, the zero-click attack identified leverages two vulnerabilities: one relates to a buffer overflow that occurs when processing carefully crafted images, and the other concerns a validation problem that can be manipulated through malicious attachments. Both of these vulnerabilities enable malicious actors to achieve arbitrary code execution on devices such as unpatched iPhones, iPads, Macs, and Apple Watches.
Consequences: Arbitrary code execution on devices such as unpatched iPhones, iPads, Macs, and Apple Watches, automatically triggered without any user interaction.
Solution:
- Update the version of your iPhone, iPad MacOS Ventura, and Apple watch to iOS 16.6.1, iPadOS 16.6.1, macOS Ventura 13.5.2, and watchOS 9.6.2 respectively.
- Victims at risk of the targeted exploit due to their identity or profession (based on Who they are and What they do) should activate Lockdown Mode by following details given in the link below:
https://support.apple.com/en-ca/HT212650
References:
https://www.bleepingcomputer.com/news/security/apple-zero-click-imessage-exploit-used-to-infect-iphones-with-spyware/
https://citizenlab.ca/2023/09/blastpass-nso-group-iphone-zero-click-zero-day-exploit-captured-in-the-wild/
https://support.apple.com/en-ca/HT212650