"Apple Rushes to Patch Zero-Day Flaws Exploited for Pegasus Spyware on iPhones"

Apple has released emergency security updates for iOS, iPadOS, macOS, and watchOS to patch two zero-day vulnerabilities exploited in the wild to deliver NSO Group's Pegasus mercenary spyware. The first vulnerability, tracked as CVE-2023-41061, is a validation issue in Wallet that could lead to arbitrary code execution when a maliciously crafted attachment is handled. The second vulnerability, tracked as CVE-2023-41064, is a buffer overflow issue in the Image I/O component that could lead to arbitrary code execution if a maliciously crafted image is processed. The Citizen Lab at the University of Toronto's Munk School disclosed that the vulnerabilities have been weaponized as part of a zero-click iMessage exploit chain dubbed BLASTPASS to launch Pegasus on fully patched iPhones running iOS 16.6. This article continues to discuss the zero-day flaws exploited to deliver NSO Group's Pegasus mercenary spyware. 

THN reports "Apple Rushes to Patch Zero-Day Flaws Exploited for Pegasus Spyware on iPhones"