Apple Releases iOS, macOS, and watchOS Updates to Fix Critical Security Vulnerabilities

Apple released yesterday macOS Ventura 13.5.2, iOS 16.6.1 and iPadOS 16.6.1, and watchOS 9.6.2 to fix a zero-day vulnerability on its software platforms. The vulnerability, which was discovered by The Citizen Lab at The University of Torontoʼs Munk School, could allow attackers to perform remote code execution by sending a specially crafted image.

The iOS and iPadOS updates also fix another zero-day vulnerability allowing arbitrary code execution using a maliciously crafted attachment. Apple acknowledged that these critical vulnerabilities may have already been exploited by attackers. Security researchers at Citizen Lab have actually confirmed that the “zero-click” exploit has been used to install NSO Group’s Pegasus spyware on a device owned by an employee in a Washington DC-based civil society organization.

“We refer to the exploit chain as BLASTPASS,” the researchers explained yesterday. “The exploit chain was capable of compromising iPhones running the latest version of iOS (16.6) without any interaction from the victim. The exploit involved PassKit attachments containing malicious images sent from an attacker iMessage account to the victim.”

While the Lockdown Mode feature in iOS 16, iPadOS 16, and macOS Ventura offers protection against these critical vulnerabilities, the Citizen Lab researchers encourage iPhone, Mac, and Apple Watch users to “immediately update their devices.”