Apple released yesterday macOS Ventura 13.5.2, iOS 16.6.1 and iPadOS 16.6.1, and watchOS 9.6.2 to fix a zero-day vulnerability on its software platforms. The vulnerability, which was discovered by The Citizen Lab at The University of Torontoʼs Munk School, could allow attackers to perform remote code execution by sending a specially crafted image.
The iOS and iPadOS updates also fix another zero-day vulnerability allowing arbitrary code execution using a maliciously crafted attachment. Apple acknowledged that these critical vulnerabilities may have already been exploited by attackers. Security researchers at Citizen Lab have actually confirmed that the “zero-click” exploit has been used to install NSO Group’s Pegasus spyware on a device owned by an employee in a Washington DC-based civil society organization.
Sign up for our new free newsletter to get three time-saving tips each Friday — and get free copies of Paul Thurrott's Windows 11 and Windows 10 Field Guides (normally $9.99) as a special welcome gift!
"*" indicates required fields
“We refer to the exploit chain as BLASTPASS,” the researchers explained yesterday. “The exploit chain was capable of compromising iPhones running the latest version of iOS (16.6) without any interaction from the victim. The exploit involved PassKit attachments containing malicious images sent from an attacker iMessage account to the victim.”
While the Lockdown Mode feature in iOS 16, iPadOS 16, and macOS Ventura offers protection against these critical vulnerabilities, the Citizen Lab researchers encourage iPhone, Mac, and Apple Watch users to “immediately update their devices.”