Apple Resolves Zero-Day Vulnerabilities Exploited for Pegasus Spyware Deployment
Apple has taken swift action to address security concerns, unveiling security updates that address two zero-day exploits—previously unknown hacking techniques. These exploits were discovered when targeting a member of a civil society organization in Washington, D.C., according to researchers who detected the vulnerabilities.
Citizen Lab, an internet watchdog group dedicated to investigating government malware, recently published a concise blog post detailing their discovery of a zero-click vulnerability last week. A zero-click vulnerability allows hackers to compromise a device without any user interaction, such as clicking on an attachment. This particular vulnerability was employed as part of an exploit chain intended to deploy NSO Group's infamous malware, known as Pegasus.
In their blog post, Citizen Lab noted that this exploit chain was capable of infiltrating iPhones running the latest iOS version (16.6) without any action required from the victim. Once the vulnerability was identified, the researchers promptly reported it to Apple, who responded by releasing a patch on Thursday. Apple acknowledged the important contribution made by Citizen Lab in discovering and reporting these vulnerabilities.
Interestingly, it is suggested that Apple may have uncovered the second vulnerability while investigating the first one, as the company also patched the additional vulnerability and attributed its discovery to itself.
Apple spokesperson Scott Radcliffe declined to comment further when contacted by TechCrunch, directing inquiries to the release notes in the security update.
Citizen Lab christened this exploit chain as "BLASTPASS," as it leveraged the PassKit framework, enabling developers to incorporate Apple Pay into their applications. John Scott-Railton, a senior researcher at Citizen Lab, underscored the significance of civil society organizations in serving as an early warning system for cybersecurity on billions of devices worldwide.
In response to these security developments, Citizen Lab strongly advised all iPhone users to promptly update their devices to ensure protection against potential threats.
As of the time of reporting, NSO Group had not issued a response to requests for comment regarding the exploits and their involvement.