Apple Backports BLASTPASS Zero-Day Fix to Older iPhones

Cyber Security Threat Summary:
Apple released security updates for older iPhones to fix a zero-day vulnerability tracked as CVE-2023-41064 that was actively exploited to infect iOS devices with NSO's Pegasus spyware. CVE-2023-31064 is a remote code execution flaw that is exploited by sending maliciously crafted images via iMessage. As reported by Citizen Lab earlier this month, CVE-2023-31064 and a second flaw tracked as CVE-2023-41061 were used as a zero-click attack chain dubbed BLASTPASS, which involves sending specially crafted images in iMessage PassKit attachments to install spyware. When the phones received and processed the attachment, it installed NSO's Pegasus spyware, even on fully patched iOS (16.6) devices” (BleepingComputer, 2023).

Security Officer Comments:
The security updates cover all iPhone 6s models, the iPhone 7, the first generation of the iPhone SE, the iPad Air 2, the fourth generation of the iPad mini, and the seventh generation of the iPod touch. Although no attacks have been observed on macOS computers, the flaw is theoretically exploitable there, too, so applying the security updates is strongly recommended. Since the start of the year, Apple has fixed a total of 13 zero-days exploited to target devices running iOS, macOS, iPadOS, and watchOS, including:

  • Two zero-days (CVE-2023-37450 and CVE-2023-38606) in July
  • Three zero-days (CVE-2023-32434, CVE-2023-32435, and CVE-2023-32439) in June
  • Three more zero-days (CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373) in May
  • Two zero-days (CVE-2023-28206 and CVE-2023-28205) in April
  • A WebKit zero-day (CVE-2023-23529) in February
    • Suggested Correction(s):
      Apple released fixes for the two flaws with macOS Ventura 13.5.2, iOS 16.6.1, iPadOS 16.6.1, and watchOS 9.6.2, and CISA published an alert requiring federal agencies to patch by October 2, 2023. The security updates have now been backported to iOS 15.7.9 and iPadOS 15.7.9, macOS Monterey 12.6.9, and macOS Big Sur 11.7.10 to prevent the use of this attack chain on those devices. It's worth noting that support for iOS 15 ended a year ago, in September 2022, while the vendor still supports Monterey and Big Sur.