Yoodley is reader-supported. When you buy through links on our site, we may earn an affiliate commission.
Apple’s iOS 16.6.1 update is now available, and it fixes some security flaws in the iPhone system alongside a reported zero-day exploit Pegasus spyware could formerly use to compromise iPhone devices running the iOS 16.6 update.
Apple released iOS 16.6.1 this week to deliver security fixes to iPhone devices. Initially, The update lacked the details, but Apple later shared them on its support page. According to the Cupertino giant, iOS 16.6.1 comes with solutions for the CVE-2023-41061 and CVE-2023-41064 flaws detected in Apple’s Wallet app and Image I/O framework, respectively. In its report, Apple shares that the two issues “may have been actively exploited,” adding they might lead to arbitrary code execution.
The two CVEs are linked to the exploit chain reported by a group called Citizen Lab (via TechCrunch). According to the group, the actively exploited vulnerability was reportedly used to bring NSO Group’s Pegasus mercenary spyware to iPhone devices. The group named the exploit chain BLASTPASS, detailing its severity in the blog shared recently with the public.
“The exploit chain was capable of compromising iPhones running the latest version of iOS (16.6) without any interaction from the victim,” the group wrote in the blog. “The exploit involved PassKit attachments containing malicious images sent from an attacker iMessage account to the victim.”
After reporting to Citizen Lab, Apple confirmed that the attack could be blocked using the company’s own. The group also shared that the iPhone maker responded to the issue quickly after it reported the problem. Citizen Lab also underlined the use of Pegasus to attack civilians despite being specifically designed to aid governments and authorities in spying on mobile devices. With this, the group encouraged Apple customers to have the update as soon as possible.
“This latest find shows once again that civil society is targeted by highly sophisticated exploits and mercenary spyware,” it said. “Apple’s update will secure devices belonging to regular users, companies, and governments around the globe. The BLASTPASS discovery highlights the incredible value to our collective cybersecurity of supporting civil society organizations.”
