Today’s Cybersecurity Threat Advisory involves Apple, who recently released critical updates for iPhone and Mac products after two zero-day vulnerabilities were discovered in their PassKit framework via iMessage. Both vulnerabilities allow malicious actors to perform arbitrary code execution on devices without any interaction from the victim. Barracuda MSP recommends applying the latest patches provided by Apple.
What is the threat?
The first zero-day vulnerability, CVE-2023-41064, is a buffer-overflow vulnerability that is initiated through processing a maliciously crafted image via Apple PassKit’s Image I/O framework. Successful threat actors can perform arbitrary code execution on devices being targeted. The second zero-day vulnerability, CVE-2023-41061, impacts Apple PassKit’s Wallet framework. Successful exploitation during the validation process can lead to threat actors gaining access to unpatched devices and can run arbitrary code execution. The two zero-days are considered a zero-click exploit chain, being followed as BLASTPASS. It’s been observed to deploy NSO Group’s Pegasus commercial spyware onto various Apple products. The following devices are affected by these vulnerabilities:
- iPhone 8 and later
- iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later
- Macs running macOS Ventura
- Apple Watch Series 4 and later
Why is it noteworthy?
Apple devices are one of the most commonly used BYOD and are often not managed by companies. These vulnerabilities are associated with two of their popular products, iPhones and Macs. Each of the vulnerability’s CVEs received a Common Vulnerability Scoring System (CVSS) high base score of 7.8 according to NIST’s National Vulnerability Database. Action should be taken as soon as possible as these vulnerabilities allow threat actors to bypass user interaction upon a successful exploitation.
What is the exposure or risk?
Apple’s recent zero-day vulnerabilities can lead to significant exposure and/or risk for its customers. If exploited successfully, it can lead to arbitrary code execution, like the NSO Group’s Pegasus commercial spyware and much more. Apple has released patches for these vulnerabilities in their latest advisory.
What are the recommendations?
Barracuda MSP recommends the following actions to limit the impact of the zero-days:
- Install the latest patch available on your devices.
- For high profile identities/professions, consider activating Lockdown Mode on devices.
References
For more in-depth information about the recommendations, please visit the following links:
- https://www.bleepingcomputer.com/news/security/apple-zero-click-imessage-exploit-used-to-infect-iphones-with-spyware/
- https://www.bleepingcomputer.com/news/apple/apple-discloses-2-new-zero-days-exploited-to-attack-iphones-macs/
- https://support.apple.com/en-us/HT213906
- https://support.apple.com/en-us/HT213905
- https://support.apple.com/en-ca/HT212650
- https://nvd.nist.gov/vuln/detail/CVE-2023-41061
- https://nvd.nist.gov/vuln/detail/CVE-2023-41064
If you have any questions about this Cybersecurity Threat Advisory, please contact our Security Operations Center.