Apple has just released security updates that patch two zero-day exploits that were used against a member of a civil society organization in Washington.
The zero-click vulnerability was discovered by Citizen Lab, an internet watchdog group that investigates government malware. It published a blog post on Thursday explaining what they had found.
“Zero-click” means that the hackers’ target doesn’t have to tap or click anything, for instance, an attachment, to trigger the attack. According to the researchers, the vulnerability was to deliver NSO Group’s Pegasus spyware.
“The exploit chain was capable of compromising iPhones running the latest version of iOS (16.6) without any interaction from the victim,” wrote Citizen Lab.
According to the researchers, the exploit involved PassKit attachments containing malicious images sent from an attacker iMessage account to the victim. Citizen Lab immediately disclosed their findings to Apple, and the company quickly issued an update for Apple products including iPhones, iPads, Mac computers, and watches.
“We encourage all users to immediately update their devices. We also urge all at-risk users to consider enabling lockdown mode as we believe it blocks this attack,” said Citizen Lab.
The group only mentions one Apple update in its blog post, but the tech company patched another vulnerability and attributed its finding to the firm itself. This probably means Apple found the second flaw while investigating the first one.
Citizen Lab explained that it called the exploit chain BLASTPASS because it involved PassKit, a framework that allows developers to include Apple Pay in their apps.
“Once more, civil society is serving as the cybersecurity early warning system for billions of devices around the world. Including you, if you're reading this on your iPhone. Or Mac,” John Scott-Railton, a senior researcher at Citizen Lab, wrote on X, formerly known as Twitter.
It’s not the first and probably not the last time Apple and NSO Group, an Israeli cyber firm, are locking horns. In 2021, Apple filed a lawsuit against NSO Group and its parent company OSY Technologies for allegedly targeting US Apple users with its Pegasus spyware.
The Pegasus Project revealed that the spyware, made and licensed by NSO Group, had been used in attempted and successful hacks of smartphones belonging to journalists, government officials, and human rights activists.
The spyware acts through iPhone and Android mobile devices and lets it access messages, emails, photos, or even secretly record calls and activate microphones.
More from Cybernews:
Subscribe to our newsletter