Apple recently issued an emergency security update to patch a zero-click vulnerability in iPhones that was being actively exploited to install sophisticated Pegasus spyware.
The Vulnerability
Researchers at Citizen Lab discovered that threat actors were exploiting two zero-day vulnerabilities (tracked as CVE-2023-41064 and CVE-2023-41061) to remotely compromise iPhones without any user interaction. The vulnerabilities allowed arbitrary code execution if a target opened a maliciously crafted image or PDF sent via iMessage.
This "zero-click" exploit was used to deliver NSO Group's Pegasus spyware to a fully patched iPhone of a civil society group employee. Pegasus can access messages, photos, recordings and location data once installed on a device.
Scope of Impact
The vulnerabilities impact iPhones, iPads and Mac devices running the latest iOS 16.6, iPadOS 16.6 and macOS Ventura respectively. This includes popular devices like the iPhone 8 models and later, iPad Pro models, 5th generation iPads and later.
Unless updated, over 1 billion Apple devices worldwide were vulnerable to this remote attack. Given Pegasus' capabilities, a successful exploit could severely compromise a target's privacy and digital security.
Apple's Response
Apple pushed emergency security updates within a week to address the issues. iOS 16.6.1, iPadOS 16.6.1 and macOS Ventura 13.5.2 patches included improved input validation and memory handling.
This was the 13th zero-day Apple had to patch this year alone, highlighting growing "hack-now-fix-later" targeting of its platforms. Apple also recommended enabling "Lockdown Mode" for high-risk users.
Recommendations
- Immediately update all Apple devices to the latest iOS 16.6.1, iPadOS 16.6.1 and macOS Ventura versions.
- Consider enabling "Lockdown Mode" in Settings if facing heightened monitoring risks due to occupation or activism.
- Be cautious receiving unsolicited files or links via messages, and avoid clicking shared images or files from unknown contacts.
- Use up-to-date antivirus software on devices to filter malware before it can exploit platform vulnerabilities.
- Employ a security key or strong multifactor authentication wherever available to safeguard online accounts linked to iOS devices.
