Apple’s Zero-Day Fix for Older iPhones: Backporting the BLASTPASS Solution

September 12, 2023

Apple has rolled out security updates to remedy a zero-day vulnerability, identified as CVE-2023-41064, that was being actively manipulated to infect iOS devices with NSO's Pegasus spyware. This remote code execution flaw can be exploited by sending malicious images through iMessage. Citizen Lab had earlier this month reported that CVE-2023-31064 and another vulnerability, CVE-2023-41061, were used in a zero-click attack chain known as BLASTPASS. This attack involves sending specially crafted images in iMessage PassKit attachments to install spyware. Upon receiving and processing the attachment, NSO's Pegasus spyware was installed, even on fully patched iOS (16.6) devices.

Apple issued fixes for these two vulnerabilities with macOS Ventura 13.5.2, iOS 16.6.1, iPadOS 16.6.1, and watchOS 9.6.2. The Cybersecurity and Infrastructure Security Agency (CISA) also issued an alert mandating federal agencies to patch by October 2, 2023. These security updates have now been backported to iOS 15.7.9 and iPadOS 15.7.9, macOS Monterey 12.6.9, and macOS Big Sur 11.7.10 to prevent the utilization of this attack chain on these devices. It's important to note that support for iOS 15 ended in September 2022, while Monterey and Big Sur are still supported by the vendor.

The security updates apply to all iPhone 6s models, the iPhone 7, the first generation of the iPhone SE, the iPad Air 2, the fourth generation of the iPad mini, and the seventh generation of the iPod touch. While no attacks have been observed on macOS computers, the flaw could theoretically be exploited on these devices as well, making the application of the security updates highly recommended. Since the beginning of the year, Apple has remedied 13 zero-days exploited to target devices running iOS, macOS, iPadOS, and watchOS.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.