Apple has released three emergency patches to address a critical vulnerability that can be exploited to install spyware on its devices. The patches are aimed at securing macOS Ventura 13.5.2, iOS 16.6.1 and iPadOS 16.6.1, and watchOS 9.6.2. In its advisories, Apple stated that a maliciously crafted attachment could lead to arbitrary code execution, and acknowledged that there have been reports of active exploitation. The University of Toronto’s Citizen Lab discovered evidence of this exploitation, revealing that NSO Group’s Pegasus spyware was being installed through a zero-click exploit called “BLASTPASS.” These attacks utilized PassKit attachments sent as iMessage images, carrying the harmful payload. By applying the patches or activating Apple’s Lockdown Mode, users can safeguard their devices against BLASTPASS.
Citizen Lab’s investigation identified BLASTPASS on a device belonging to a Washington DC-based civil society organization with international offices. Both Apple and Citizen Lab categorized this spyware as “mercenary spyware,” meaning it is sold to various actors, particularly government security services, without any essential political ties. The Times of Israel described the recently issued Apple patch as specifically designed to counter the vulnerability exploited by NSO’s Pegasus.
In response to Citizen Lab’s findings, NSO Group declined to comment on the report, stating that it cannot respond to allegations lacking supporting research. NSO Group has consistently maintained that Pegasus is a lawful intercept tool exclusively sold to governments for legitimate law enforcement purposes. However, The Guardian has extensively covered instances of Pegasus misuse in countries such as Mexico, Saudi Arabia, India, Rwanda, and the UAE.
Ken Westin, Field CISO at Panther Labs, expressed concerns about the vulnerability potentially being exploited by parties other than Pegasus operators, and suggested that it may involve more than just commercial spyware. Westin highlighted the discovery of the vulnerability and documented differences in software versions as indications that exploits targeting this vulnerability are likely to become more prevalent and extend beyond the realm of commercial spyware. He noted that while the initial exploit may have been used in a somewhat targeted manner by NSO Group, the group lacks transparency in disclosing the specific targets of their exploits. Regrettably, innocent individuals, including journalists and dissidents, have been targeted by authoritarian regimes using Pegasus. With the patch now available, the primary concern shifts to identifying the vulnerability, which is expected to contribute to the increased proliferation of exploits.
Apple’s prompt response in releasing emergency patches to address the vulnerability underscores the company’s commitment to securing its devices and protecting users from potential spyware attacks. As the threat landscape continues to evolve, it is crucial for individuals and organizations to prioritize keeping their operating systems and applications up to date with the latest security patches. By doing so, they can mitigate the risk of falling victim to sophisticated exploits and safeguard their sensitive data and online activities.