Carding
Professional
- Messages
- 2,871
- Reaction score
- 2,467
- Points
- 113
The "BLASTPASS" error can install malware without user interaction.
Yesterday, Apple released emergency security updates that address two Zero-Click zero-day vulnerabilities. That is, the hacking methods that were used in the attacks were unknown at the time when Apple first learned about them, and to infect a potential victim, it was not even necessary to perform any actions.
These vulnerabilities were used to attack representatives of civil society in Washington-a collection of different organizations, groups and individuals that act independently of the state and express the interests and needs of different segments of the population. Civil society in the United States has a long history of promoting democracy, human rights, and civil liberties.
Citizen Lab, a company that monitors the Internet activity of government organizations and other cybersecurity research, published a short post on its blog in which it said that last week it discovered a vulnerability used to infect victims with malware. The researchers claim that the vulnerability was part of a chain of exploits developed to deliver software from the NSO Group, known as Pegasus.
"The chain of exploits could compromise an iPhone running the latest version of iOS (16.6) without any interaction with the victim," Citizen Lab wrote.
After discovering the vulnerability, the researchers reported it to Apple, which released a patch and thanked Citizen Lab for their work. Notably, Apple seems to have also closed another related vulnerability, attributing its discovery to itself. Probably, the company's researchers identified the second vulnerability when studying the first one.
The vulnerabilities were discovered in the Image I/O and Wallet systems and are tracked as CVE-2023-41064 (detected by Citizen Lab) and CVE-2023-41061 (detected by Apple).
CVE-2023-41064 — This is a buffer overflow vulnerability that is triggered when processing images created by attackers, and this can lead to arbitrary code execution on vulnerable devices.
CVE-2023-41061 — this is a problem with verification, which can be used by using a malicious attachment to also get arbitrary code executed on target devices.
Citizen Lab called the exploit chain "BLASTPASS" because it included PassKit, a framework that allows developers to integrate Apple Pay into their apps.
Apple fixed zero days in macOS Ventura 13.5.2, iOS 16.6.1, iPadOS 16.6.1 and watchOS 9.6.2, improving the memory processing logic.
The list of affected devices is quite extensive, as two security bugs affect both old and new models, and it includes:
"Civil society is once again serving as a cybersecurity early warning system for billions of devices around the world," John Scott — Railton, a senior researcher at Citizen Lab, wrote in a blog post.
Experts recommend that all users of Apple products update their devices by installing the latest security patches.
Yesterday, Apple released emergency security updates that address two Zero-Click zero-day vulnerabilities. That is, the hacking methods that were used in the attacks were unknown at the time when Apple first learned about them, and to infect a potential victim, it was not even necessary to perform any actions.
These vulnerabilities were used to attack representatives of civil society in Washington-a collection of different organizations, groups and individuals that act independently of the state and express the interests and needs of different segments of the population. Civil society in the United States has a long history of promoting democracy, human rights, and civil liberties.
Citizen Lab, a company that monitors the Internet activity of government organizations and other cybersecurity research, published a short post on its blog in which it said that last week it discovered a vulnerability used to infect victims with malware. The researchers claim that the vulnerability was part of a chain of exploits developed to deliver software from the NSO Group, known as Pegasus.
"The chain of exploits could compromise an iPhone running the latest version of iOS (16.6) without any interaction with the victim," Citizen Lab wrote.
After discovering the vulnerability, the researchers reported it to Apple, which released a patch and thanked Citizen Lab for their work. Notably, Apple seems to have also closed another related vulnerability, attributing its discovery to itself. Probably, the company's researchers identified the second vulnerability when studying the first one.
The vulnerabilities were discovered in the Image I/O and Wallet systems and are tracked as CVE-2023-41064 (detected by Citizen Lab) and CVE-2023-41061 (detected by Apple).
CVE-2023-41064 — This is a buffer overflow vulnerability that is triggered when processing images created by attackers, and this can lead to arbitrary code execution on vulnerable devices.
CVE-2023-41061 — this is a problem with verification, which can be used by using a malicious attachment to also get arbitrary code executed on target devices.
Citizen Lab called the exploit chain "BLASTPASS" because it included PassKit, a framework that allows developers to integrate Apple Pay into their apps.
Apple fixed zero days in macOS Ventura 13.5.2, iOS 16.6.1, iPadOS 16.6.1 and watchOS 9.6.2, improving the memory processing logic.
The list of affected devices is quite extensive, as two security bugs affect both old and new models, and it includes:
- iPhone 8 and later;
- iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later;
- Macs running macOS Ventura;
- Apple Watch Series 4 and later.
"Civil society is once again serving as a cybersecurity early warning system for billions of devices around the world," John Scott — Railton, a senior researcher at Citizen Lab, wrote in a blog post.
Experts recommend that all users of Apple products update their devices by installing the latest security patches.
