Apple Inc. has released urgent security updates for its suite of operating systems after revealing two critical new vulnerabilities that researchers say were exploited by Israeli spyware maker NSO Group Ltd. to install spyware on devices.

NSO Group, with its Pegasus spyware, has been one of the most controversial cybersecurity companies of recent times. Pegasus is a form of software that uses zero-day or unpatched exploits to infect mobile devices.

Recent zero-days in Apple products being exploited by NSO were discovered by Citizen Lab in April, and it’s Citizen Lab that discovered one of the two new exploits, Apple revealing the other.

The first vulnerability, discovered by Citizen Lab and tracked as CVE-2023-41064, is a buffer overflow issue in the Image I/O framework. The second vulnerability, tracked as CVE-2023-41061, is a validation issue in the Wallet framework.

In a report today, Citizen Lab said that it had discovered the Image I/O framework vulnerability, which it has dubbed “BLASTPASS,” while checking the device of an individual employed by a Washington D.C.-based civil society organization with international offices. Citizen Lab found that the zero-day vulnerability had been exploited to install NSO Group’s Pegasus spyware.

Apple has addressed both zero-days in the latest releases for a range of products — iOS and iPadOS 16.6.1, macOS 13.5.2, and watchOS 9.6.2. Along with Mac Ventura, products affected include the iPhone 8 and later, all models of the iPad Pro, the iPad Air 3rd generation and later, the iPad 5th generation and later, the iPad mini 5th generation and later, and the Apple Watch Series 4 and later.

The first zero-day has been addressed with improved memory handling, while the second was fixed by implementing improved logic. Citizen Lab is also urging all Apple users to update their devices.

“This latest find shows once again that civil society is targeted by highly sophisticated exploits and mercenary spyware,” Citizen Lab wrote. “Apple’s update will secure devices belonging to regular users, companies and governments around the globe. The BLASTPASS discovery highlights the incredible value to our collective cybersecurity of supporting civil society organizations.”

Image: Bing Image Creator