Implications of the Apple iMessage Exploit
Recently, Apple pushed out an emergency update to fix two iOS Zero-Day flaws used to deliver Spyware to unsuspecting victims. For those who are less-tech savvy, these two flaws allowed cybercriminals to gain access into your device so that they could listen in and harvest personal data from your mobile phone.
The good news? A simple update will keep the malicious actors at bay. Just head over to your iPhone Settings, scroll down and press ‘General’, then to ‘Software Update’, and lastly press Install. Let the download finish, restart your phone, and you’ll be good to go!
For those who wants the more ‘technical’ nerd speak edition (or those who are simply curious), here is a rundown on what has transpired this past weekend:
Two Zero-Day vulnerabilities known as CVE-2023-41064 and CVE-2023-41061 were discovered on an Apple iPhone which allowed hackers to run arbitrary code using a Zero-Click iMessage Exploit.
What is a Zero-Click Exploit?
As the title implies, a Zero-Click exploit is an attack that requires no interaction or input from the victim. In the case of the Apple Zero-Click Exploit mentioned, this means that the victim can be compromised by just receiving a iMessage photo or attachment – which is deemed as a seemingly harmless and routine event for almost all iPhone users.
What is a Zero-Day Vulnerability/Flaw?
A Zero-Day vulnerability is an flaw in a computer system that attackers discover before the developers of the computer system realize it exists. With this knowledge, attackers use this to develop exploits that take advantage of this flaw (usually for malicious reasons!)
As mentioned, the delivery method used included a zero-click iMessage exploit, which allowed a virus called Pegasus spyware to work on fully patched Apple products. For those unaware, the Pegasus spyware was first documented in 2013, and was used for eavesdropping in on cell phones and collecting data from their victims. Once the virus enters the device, it can be extremely difficult to detect and remove once infected.
Here is the description of each vulnerability that has been patched, and how they were used to inject the Pegasus Spyware into Apple devices:
CVE-2023-41064:
A buffer overflow vulnerability that allows arbitrary code execution through the read and write functionality of most image file formats.
CVE-2023-41061:
A validation issue pertaining to the storage of payment cards, IDs, tickets, etc. via Apple’s Wallet. This validation issue opens up a vulnerability that allows infected attachments to allow for arbitrary code injection to the users phone.
While it is unlikely that our clients have been hit with the Pegasus spyware, we advise all users to update to the latest version of iOS (16.6.1) as soon as possible.
