Apple launched security updates for older iPhones to repair a zero-day vulnerability tracked as CVE-2023-41064 that was actively exploited to contaminate iOS gadgets with NSO’s Pegasus spyware and adware.
CVE-2023-31064 is a distant code execution flaw that’s exploited by sending maliciously crafted photos through iMessage.
As reported by Citizen Lab earlier this month, CVE-2023-31064 and a second flaw tracked as CVE-2023-41061 have been used as a zero-click assault chain dubbed BLASTPASS, which includes sending specifically crafted photos in iMessage PassKit attachments to put in spyware and adware.
When the telephones acquired and processed the attachment, it put in NSO’s Pegasus spyware and adware, even on absolutely patched iOS (16.6) gadgets.
Apple launched fixes for the 2 flaws with macOS Ventura 13.5.2, iOS 16.6.1, iPadOS 16.6.1, and watchOS 9.6.2, and CISA revealed an alert requiring federal businesses to patch by October 2, 2023.
The security updates have now been backported to iOS 15.7.9 and iPadOS 15.7.9, macOS Monterey 12.6.9, and macOS Large Sur 11.7.10 to stop the usage of this assault chain on these gadgets.
It is price noting that help for iOS 15 ended a yr in the past, in September 2022, whereas the seller nonetheless helps Monterey and Large Sur.
The security updates cowl all iPhone 6s fashions, the iPhone 7, the primary era of the iPhone SE, the iPad Air 2, the fourth era of the iPad mini, and the seventh era of the iPod contact.
Though no assaults have been noticed on macOS computer systems, the flaw is theoretically exploitable there, too, so making use of the security updates is strongly really useful.
Because the begin of the yr, Apple has mounted a complete of 13 zero-days exploited to focus on gadgets operating iOS, macOS, iPadOS, and watchOS, together with:
