back to article Apple races to patch the latest zero-day iPhone exploit

Apple devices are again under attack, with a zero-click, zero-day vulnerability used to deliver Pegasus spyware to iPhones discovered in the wild. Even running the latest version of iOS (16.6) is no defence against the exploit, which involves PassKit attachments containing malicious images. Once sent to the victim's iMessage …

  1. ferkle
    Thumb Up

    This was patched yesterday

    Not to be that guy, but 16.6.1 released yesterday has patched this vuln out.

    1. Annihilator

      Re: This was patched yesterday

      Not to be that other guy...

      "Apple moved swiftly, assigning two CVEs to the exploit chain – CVE-2023-41064 and CVE-2023-41061 – and issuing updates for iOS and iPadOS"

      "As for the latest exploits, the advice is to update your iOS and iPadOS devices immediately"

      And despite all that, it was a zero-day exploit discovered in the wild. So still newsworthy, and a prompt reminder to patch. Despite having auto-updates on, mine hadn't done it yet - just done it manually.

      1. Anonymous Coward
        Anonymous Coward

        Re: This was patched yesterday

        I've had lockdown mode enabled for about two months. I haven't noticed any reduction in functionality, except people I don't know can't call me on Facetime.

        1. Fred Flintstone Gold badge

          Re: This was patched yesterday

          people I don't know can't call me on Facetime

          Ah. Must enable that immediately.

          :)

        2. Methos_Vk

          Re: This was patched yesterday

          you never need to view PDFs ?

      2. Korev Silver badge

        Re: This was patched yesterday

        The article also states "Even running the latest version of iOS (16.6) is no defence against the exploit," which is misleading

      3. PB90210 Bronze badge

        Re: This was patched yesterday

        Gosh, it even made it to MailOnline the same day... as long as you can tear your eyes away from "shirtless Harry Styles shows of toned 6-pack..." in the sidebar of shame

    2. katrinab Silver badge
      Gimp

      Re: This was patched yesterday

      Sure, but I didn't know about it, and neither my iPhone nor my iPad had prompted me to update. So I did it manually when I saw the headline.

      1. frankrider

        Re: This was patched yesterday

        So basically Apple products have a built-in grace period before they actually auto-update - even for security updates. So if you want to stay current you have to stay either manually check daily or stay abreast of the news.

  2. Grunchy Silver badge

    What?

    Guys, get real: the insecurity is the iMessage service itself !

    Any information you send via Apple or Google or Microsoft is definitely getting read by artificially intelligent daemons trying to figure out how to steal your money or your vote or your stock tips or whatever else they can steal.

    1. Clausewitz4.0 Bronze badge
      Black Helicopters

      Yeap ! Finally someone (outside of the exploit developers ecosystem) realized that

      FaceTime / iMessage guys - the usual culprits, if there isn't a webkit + sandbox escape + kernel exploit around

    2. Androgynous Cupboard Silver badge

      "daemons" in this context do not mean what you think they mean.

    3. IGotOut Silver badge

      Remind me how Apple steal my vote? Just wondering if I need invest in better door locks or tim foil shares

      1. Ashto5

        Tim foil

        I’d invest in that

        1. Tim99 Silver badge

          Re: Tim foil

          I wouldn’t…

          1. Throatwarbler Mangrove Silver badge
            Angel

            Re: Tim foil

            "Curses, foiled again!"

            --Tim99

      2. MrDamage

        Tim Foil Shares

        Will go well with my Tim Apple shares.

    4. s. pam
      Pint

      That's why we use Signal

      iMassage has been disabled on all our iDevices 2-3 years ago and Signal is great.

      1. teknopaul

        Re: That's why we use Signal

        Would that help?

    5. teknopaul

      Seemingly, The vuln was in passkit, your rant-bang, would be better directed at that.

      Why would anyone think to write passkit in a memory safe language.

  3. Erik Beall

    The intentionally incompatible iMessage yet again?

    How many zero days does iMessage have to get before people stop blindly trusting Apple as "more secure"? Android isn't better but the fact that Apple not only intentionally disables SMS functionality for non Apple recipients (given the lack of regulatory attention, one could be forgiven for thinking apples actions are legal) but has also enabled professional spyware like the NSO groups (undoubtedly others as well) to assist their customers in spying primarily on innocent and vulnerable groups (what fraction of their sales goes to police forces operating with legal authority versus all the other users), I don't think I want any devices with iMessage or FaceTime on my network either. Not that I have much choice given all the friends, family and co workers that are certain Apple does security for them...

    1. Anonymous Coward
      Anonymous Coward

      Re: The intentionally incompatible iMessage yet again?

      Seen it recently where someone claimed the first Mac virus was in OSX, so many of those koolaid drinkers have no clue about the history or wilfully ignore it.

      1. gnasher729 Silver badge

        Re: The intentionally incompatible iMessage yet again?

        Many, many years ago there was NVIR. Which infected Mac apps running on an infected computer. Being nice, we added a bit of code that detected if our app was infected and showed an alert.

        Our boss demonstrated the app at a major bank. It got infected instantly and showed an alert.

      2. ThomH

        Re: The intentionally incompatible iMessage yet again?

        Yeah, if one person made a false claim, that definitely proves everything you've always been saying and that we all should have listened to you sooner. What fools we've been.

    2. Dinanziame Silver badge
      Windows

      Re: The intentionally incompatible iMessage yet again?

      Apple makes great hardware — software, not so much.

      1. teknopaul

        Re: The intentionally incompatible iMessage yet again?

        Apple _outsources_ great hardware...

        Ftfy

        Best not talk about their software.

        1. MrDamage

          Re: The intentionally incompatible iMessage yet again?

          They even outsourced the design of their kit to Braun.

          https://www.forbes.com/sites/anthonykosner/2013/11/30/jony-ives-no-longer-so-secret-design-weapon/?sh=20835bf83f62

    3. DS999 Silver badge

      Re: The intentionally incompatible iMessage yet again?

      This wasn't an iMessage issue per se, it was an issue with the PassKit library sending passes (think tickets to concerts or sporting events) from one user's Apple Wallet to another. iMessage is how those passes are being transmitted, but if Apple had set up a way to send them via MMS or Signal the same vulnerability would have existed.

    4. Anonymous Coward
      Anonymous Coward

      Re: The intentionally incompatible iMessage yet again?

      the fact that Apple not only intentionally disables SMS functionality for non Apple recipients

      If they have date, they'll get it via iMessage which is richer in functionality, if they're offline it'll be SMS.

      I don't see the "evil" here, sorry. Or did that mess up your fact-short narrative?

  4. Anonymous Coward
    Facepalm

    Apple races to patch the latest zero-day iPhone exploit

    I've become totally cynical about these exploits only being patched after being discovered by some third party. Pegasus spyware being around since 2011. Not much of a race /s

    1. DS999 Silver badge

      Re: Apple races to patch the latest zero-day iPhone exploit

      You do understand that's the definition of a "zero day" flaw, right? Apple also fixes stuff they discovered, and stuff others discovered, for which there is no evidence anyone has ever exploited it.

      If you have some evidence that proves they knew about this exploit for years but ignored it because they are secretly supporting NSO Group, please share. You would have to be prepared for a lot of major media like NYT, WSJ, and so on requesting interviews with you about your bombshell report.

    2. IGotOut Silver badge

      Re: Apple races to patch the latest zero-day iPhone exploit

      @t245t

      You're new to IT right?

      1. Snake Silver badge

        Re: new to IT

        Don't dismiss his complaint so quickly. If Pegasus is from 2011 you could hope that systems fuzzing for vulnerabilities would take known actors into account. Read: if it is known that buffer overflows are a target, special consideration would be made, from programming to compilation to fuzzing, to check for this issue.

        You could hope, but hope it seems is all that users have been getting. Pegasus was a known issue but no one thought to issue a fix, as BLASTPASS allowed the full installation AND activation of Pegasus without issue, meaning that the OS's only protection against Pegasus...was not to get infected in the first place.

        The difference in the details is important.

        1. DS999 Silver badge

          Re: new to IT

          Pegasus has been around since 2011 but has not been using this exploit the whole time! PassKit didn't even exist until 4-5 years ago IIRC.

          Whenever Pegasus starts using a new exploit they know the clock is ticking before Apple finds out about it and closes the hole, and they will switch to another exploit they had already discovered or purchased that they've kept on ice now that Apple has closed this one.

          That's why NSO Group goes to extreme lengths to limit how much their software can be used, and by whom. They make sure that they are selling to "legit" governments and law enforcement (in quotes because they don't care if they are terrible repressive governments, just that they are the actual terrible repressive government of country X rather than an imposter claiming to represent country X) and they make sure that it can only be installed on a small number of phones.

          Because if Apple was able to masquerade as a customer, they would have a pipeline into all Pegasus updates and could close holes as quickly it was updated until NSO Group ran out, plus the more phones Pegasus spyware is installed on the greater the chance Apple or a security researcher will get their hands on it and reverse engineer the exploit.

          No one reading this needs to worry about being hacked by these exploits, because NSO Group goes to great lengths to insure that only a few thousand people in the world in total will have Pegasus used against them.

          1. cyberdemon Silver badge
            Coffee/keyboard

            Re: new to IT

            > No one reading this needs to worry about being hacked by these exploits, because NSO Group goes to great lengths to insure that only a few thousand people in the world in total will have Pegasus used against them.

            .. And if you believe that, you'll believe anything!

            1. teknopaul

              Re: new to IT

              Seems reasonable that pegasus would be careful.

              At the same time I'm sure Apple have spyware as a service available for uncle Sam.

          2. goldcd

            I agree

            but Apple could easily solve this issue by simply paying more as a bug-bounty than NSO does.

            1. claimed Silver badge

              Re: I agree

              Fast forward to where Apple flings about millions of dollars for someone detecting a flaw.

              Ok

              Bad guy now has choice of getting a million bucks and “helping America”, or less and hurting “America” Can you not envisage a scenario where this might still allow for zero days…?

              Human motivation, while closely tied to money, is not exclusively so

              1. Snowy Silver badge
                Coat

                Re: I agree

                Make more by selling it to both of them!

            2. Charlie Clark Silver badge

              Re: I agree

              You're assuming there are only two horses in that race… Even then it's not as simple as you think: NSO finds many exploits itself.

            3. DS999 Silver badge

              Re: I agree

              but Apple could easily solve this issue by simply paying more as a bug-bounty than NSO does.

              That assumes everything NSO uses was purchased on the open market, and that Apple has access to these "markets". Who knows how many exploits are discovered by e.g. state sponsored hackers for China or the US for that matter who later sell the exploit they found to NSO Group for some extra cash. They couldn't go to Apple and risk being exposed, but I'm sure NSO Group would be willing to pay under the table in ways Apple wouldn't like bitcoin or maybe even a briefcase filled with cash.

          3. Charlie Clark Silver badge

            Re: new to IT

            You're trying to put a positive spin on what is generally accepted as poor security behaviour by Apple. 0-day exploits are the only ones that are known about. NSO is only one of many possible actors searching for and potentially exploiting such issues and they all have a vested interest in keeping such issues quiet. As Apple seems to think so as well. There have been many reports of Apple not responding to reports in the hope that security through obscurity will help.

            They should be learning from others (except Microsoft perhaps) in the software industry that have established procedures for reporting such issues, developing and providing patches and informing their users. Unfortunately, however, patch releases like this are the exception rather than the rule. Users normally have to wait for the more or less regular OS updates which often contained poorly documented information about patched flaws.

            Software can't be perfect and exploits will always been found so it's essential to develop a culture that accepts this and policies to mitigate consequences as much as possible. Apple still has a long way to go in this respect.

            1. DS999 Silver badge

              Re: new to IT

              What are you talking about? Apple releases patches quite regularly, they even instituted a special system for releasing security critical patches even faster when necessary. They create CVEs for every single issue, even ones they find themselves - which most companies do not do because it inflates their count.

              They are not perfect, but they are better than most now which is quite an improvement over the past 5-6 years when they were not responding as quickly as they should, didn't have a bug bounty program, and so forth.

    3. Prst. V.Jeltz Silver badge

      Re: Apple races to patch the latest zero-day iPhone exploit

      Pegasus spyware being around since 2011. Not much of a race /s

      There was article couple of days ago about downloaders/droppers vs payloads . Comments said no one needed that explaining .

      https://www.theregister.com/2023/08/28/top_malware_loaders/

  5. Anonymous Coward
    Anonymous Coward

    improved logic

    So, just logic then

    The code is either logical and acting as intended, or it is illogical and not acting as intended.

    There is no middle ground with logic.

    1. claimed Silver badge

      Re: improved logic

      Could it not also be:

      logical and not acting as intended, or illogical but acting as intended?

      You know, logically speaking

  6. Potemkine! Silver badge
    WTF?

    Buffer overflow

    How can such a thing still happen in 2023?!? For a developer, it should be part of Security 101

    1. Anonymous Coward
      Anonymous Coward

      Re: Buffer overflow

      Not sure the controversy on that post, finding a zero click buffer overflow in a front-line application like a SMS app/imessage feels pretty 20 years ago. One more example of putting too much attack surface on untrusted interfaces subject to the unwashed and unfiltered horror that is the internet. Bonus because it can be slipped in between the sheets of the end-to-end encryption preventing apple from easily blocking it, like the SMS string of doom from a few years back.

      It's still an easy enough mistake to make in this era, but also one that robust code analysis tools should have shaken loose, and Apple has few excuses for missing them on things like iMessage or Safari.

      As attacks get worse, don't be surprised if that bad image trick is exploitable from other services like safari or airdrop as well.

  7. Ian Johnston Silver badge

    Just how many insiders does NSO Group have at Apple, installing backdoors as fast as researchers can find them?

  8. Tron Silver badge

    Such exalted company.

    As a nobody, I'm proud to post amongst folk who must rush to protect themselves from state spooks, zero(day)ing in on the highest profile targets.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like