Apple is rolling out important security fixes for older-generation devices and OSes, addressing a weakness exploited by Pegasus spyware operators.
The Cupertino tech giant began issuing emergency updates last week after the spyware watchdogs at The Citizen Labsounded the alarm over a new wave of attacks involving NSO Group’s infamous Pegasus.
Apple did a quick job issuing the patches to its user base, from iPhone, iPad and Mac owners to Apple Watch users. Since Apple products share many common software components, any new weakness discovered often affects most products down the line.
This means that older-generation products can be affected as well – as is the case now. Apple is now rolling out the fixes to users of older iPhones and older-generation macOS iterations in the form of:
iOS 15.7.9 and iPadOS 15.7.9 are available for iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation).
All three updates address the all-important ImageIO bug, tracked as CVE-2023-41064. According to the savvy bunch at The Citizen Lab reporting on their finding last week, the flaw can be exploited to perform a zero-click attack by sending a malicious Pass to the victim via iMessage.
The researchers stumbled across an ongoing attack leveraging this weakness “while checking the device of an individual employed by a Washington DC-based civil society organization with international offices.”
The exploit, dubbed BLASTPASS, leverages a weakness in the way Apple’s software processes image content.
“Processing a maliciously crafted image may lead to arbitrary code execution,” the iPhone maker notes in the advisories. “Apple is aware of a report that this issue may have been actively exploited.”
While most attacks involving mercenary spyware are highly targeted, Bitdefender strongly recommends updating devices as soon as the vendor makes the updates available. Also consider deploying a dedicated security solution on your iPhone or Mac.
As highlighted in our macOS Threat Report presented at Black Hat USA 2023, Apple in recent years has found it increasingly necessary to patch actively exploited vulnerabilities in its platforms. Moreover, spyware vendors are intensifying their focus on iOS, which shares many components with macOS. As a result, cybercriminals are better positioned to target Macs with this plague.