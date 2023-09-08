BY Alex Pasternack6 minute read

The blacklisted Israeli spyware maker NSO Group is behind a piece of powerful malware found on the iPhone of a D.C.-based civil society worker, researchers said Thursday, prompting Apple to push out security updates for all of its mobile and desktop systems.

“We urge everyone to immediately update their devices,” said researchers with Toronto-based Citizen Lab. The security gap, along with another vulnerability discovered by Apple, could be used by NSO’s flagship spyware Pegasus to surreptitiously gather everything on the target’s device—evading the encrypted protections of messaging apps like Signal or WhatsApp—even if they never clicked a link or installed software. “Last week, while checking the device of an individual employed by a Washington DC-based civil society organization with international offices, [we] found an actively exploited zero-click vulnerability being used to deliver NSO Group’s Pegasus mercenary spyware,” researchers for Citizen Lab said in its report. The exploit “was capable of compromising iPhones running the latest version of iOS (16.6) without any interaction from the victim.”

Malicious use of ApplePay and images The first vulnerability, CVE-2023-41064, relates to a validation problem in the Wallet framework and can be exploited if a device is sent a “maliciously crafted attachment.” Citizen Lab called the exploit chain BLASTPASS, because it involved PassKit, a framework that allows developers to include Apple Pay in their apps. The second vulnerability, disclosed by Apple as CVE-2023-41061, is a buffer overflow issue in the Image I/O framework that can be attacked when processing “a maliciously crafted image,” Apple said. Citizen Lab said it had “immediately disclosed our findings to Apple and assisted in their investigation.” Apple said in a statement it was “aware of a report that this issue may have been actively exploited,” but declined to comment more. The company has previously touted a system to send alerts to users impacted by government-backed hacking campaigns.

Expand to continue reading ↓