

Apple Inc. has released urgent security updates for its suite of operating systems after revealing two critical new vulnerabilities that researchers say were exploited by Israeli spyware maker NSO Group Ltd. to install spyware on devices.
NSO Group, with its Pegasus spyware, has been one of the most controversial cybersecurity companies of recent times. Pegasus is a form of software that uses zero-day or unpatched exploits to infect mobile devices.
Recent zero-days in Apple products being exploited by NSO were discovered by Citizen Lab in April, and it’s Citizen Lab that discovered one of the two new exploits, Apple revealing the other.
The first vulnerability, discovered by Citizen Lab and tracked as CVE-2023-41064, is a buffer overflow issue in the Image I/O framework. The second vulnerability, tracked as CVE-2023-41061, is a validation issue in the Wallet framework.
In a report today, Citizen Lab said that it had discovered the Image I/O framework vulnerability, which it has dubbed “BLASTPASS,” while checking the device of an individual employed by a Washington D.C.-based civil society organization with international offices. Citizen Lab found that the zero-day vulnerability had been exploited to install NSO Group’s Pegasus spyware.
Apple has addressed both zero-days in the latest releases for a range of products — iOS and iPadOS 16.6.1, macOS 13.5.2, and watchOS 9.6.2. Along with Mac Ventura, products affected include the iPhone 8 and later, all models of the iPad Pro, the iPad Air 3rd generation and later, the iPad 5th generation and later, the iPad mini 5th generation and later, and the Apple Watch Series 4 and later.
The first zero-day has been addressed with improved memory handling, while the second was fixed by implementing improved logic. Citizen Lab is also urging all Apple users to update their devices.
“This latest find shows once again that civil society is targeted by highly sophisticated exploits and mercenary spyware,” Citizen Lab wrote. “Apple’s update will secure devices belonging to regular users, companies and governments around the globe. The BLASTPASS discovery highlights the incredible value to our collective cybersecurity of supporting civil society organizations.”
Support our open free content by sharing and engaging with our content and community.
Where Technology Leaders Connect, Share Intelligence & Create Opportunities
SiliconANGLE Media is a recognized leader in digital media innovation serving innovative audiences and brands, bringing together cutting-edge technology, influential content, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — such as those established in Silicon Valley and the New York Stock Exchange (NYSE) — SiliconANGLE Media operates at the intersection of media, technology, and AI. .
Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a powerful ecosystem of industry-leading digital media brands, with a reach of 15+ million elite tech professionals. The company’s new, proprietary theCUBE AI Video cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.