Following a report Sept. 7 by Citizen Lab that an actively exploited zero-click vulnerability was used to deliver NSO Group’s Pegasus mercenary spyware on an Apple device, Apple quickly moved to issue two CVEs to rectify the issue.
The Pegasus spyware developed and distributed by the NSO Group has been widely used by both the private and government sectors across the globe for surveillance purposes against journalists, human and civil rights activists, politicians and other individuals.
In an advisory Sept. 8, Apple issued details on the two zero-days: CVE-2023-41064 and CVE-2023-41061. Apple acknowledged that both flaws could have been exploited in the wild and could potentially result in arbitrary code execution.
Apple users were advised to update their devices, including iPhones, iPads, Mac computers, and Apple watches. The more at-risk users likely to be the focus of a Pegasus attack were also encouraged to enable Lockdown Mode because researchers believe it could block such an attack.
Citizen Lab to the exploit chain as BLASTPASS. The exploit chain was capable of compromising iPhones running the latest version of iOS (16.6) without any interaction from the victim. Citizen Lab said they found the flaw last week while checking a device of an individual employed by a Washington-based civil society organization with international offices.
According to NIST, 41064 was a buffer overflow issue that was addressed with improved memory handling. NIST said this issue was fixed in macOS Ventura 13.5.2, iOS 16.6.1 and iPadOS 16.6.1. The danger: processing a maliciously crafted image may lead to arbitrary code execution. CVE 41061 was a validation issue that was addressed with improved logic. This issue has been fixed in Apple watchOS 9.6.2, iOS 16.6.1 and iPadOS 16.6.1. The danger: A maliciously crafted attachment may result in arbitrary code execution.
Apple zero-click exploits highly targeted to individuals, groups
Georgia Weidman, security architect at Zimperium, said NSO is one of the companies that sells exploits to nation states. Weidman said it makes sense that they have more, and they will have more in the future.
“The good news about offensive cybersecurity companies is that they treat their exploits as their crown jewels and do not allow them to be widely used and only use them in a targeted fashion,” said Weidman. “When they slip up and we find out about them, vendors patch, they use their backup set up exploits and we continue the arms race. While there is the case with NSO in particular, there are other groups that are less economically motivated and more interested in creating chaos and disruption. Because the NSO Groups customers are nation-states they can afford to hoard exploits that might otherwise net them a million-dollar bug bounty from Apple or Google.”
Saeed Abbasi, manager of vulnerability and threat research at Qualys, said these highly sophisticated and targeted attacks are generally designed to compromise specific individuals or groups, possibly orchestrated by entities with substantial resources and expertise at their disposal.
“If individuals or organizations do not patch their devices promptly, the vulnerabilities could potentially be exploited by other malicious actors, which might lead to a broader spread,” said Abbasi. “This could be worsened if the details of the exploit become public knowledge, allowing other groups to use similar tactics.”
John Gallagher, vice president of Viakoo Labs, added that this is not an issue for the broad population, but rather people specifically being targeted for surveillance. As was recommended by Citizen Lab, Gallagher said people who suspect they are targets for spyware and surveillance should enable lockdown mode.
“That Apple did not push this out using their Rapid Security Response feature is another indication that it is not impacting most people,” said Gallagher. “Patching is always a best practice, but as the threat actors are focused on leveraging zero-day exploits to plant spyware the use of Lockdown Mode may be the safest approach.”