Apple Releases iOS 16.6.1 in Response to New Pegasus Spyware Attack
Toggle Dark Mode
In what will hopefully turn out to be one last iOS 16 update before iOS 17 is released this month, Apple has just released iOS 16.6.1, an import sub-point release that fixes a pair of severe security flaws in iOS 16.6.
Although late-cycle iOS point releases are usually pretty uninspiring, they’re necessary to patch vulnerabilities discovered by security researchers. No matter how much Apple tries to harden its software against exploits, it’s impossible to catch everything in something as complex as iOS. The result is a cat-and-mouse game as security experts — hopefully ethical, “white hat” hackers — discover these flaws and report them to Apple so they can be patched.
This is precisely why iOS 16.6 was a vital update; even though it carried no user-facing features to encourage folks to update, it plugged numerous security holes, some of which had already been exploited by malicious hackers to potentially compromise users’ iPhones.
Thankfully, out of 16 security vulnerabilities fixed in iOS 16.6?, Apple was only aware of two flaws being “actively exploited.” To be clear, that doesn’t mean the other 14 hadn’t been; merely that Apple and other security researchers had no evidence of this. However, once iOS 16.6 was released along with the list of security fixes, the cat was out of the bag, giving bad actors a map of how to attack devices that hadn’t been updated to iOS 16.6.
The same is true with two new security issues fixed in iOS 16.6.1 — both of which may have already been actively exploited by mercenary spyware.
What’s Fixed in iOS 16.6.1
Specifically, iOS 16.6.1 fixes two vulnerabilities uncovered by Citizen Lab researchers at The University of Toronto?s Munk School of Global Affairs and Public Policy.
The first, found in the ImageIO framework, could allow a maliciously crafted image posted on a website or received by email or text message to execute arbitrary code on your device.
A second flaw found in Apple’s Wallet app could do the same when receiving a maliciously crafted PassKit attachment, such as a ticket or loyalty card. While Apple credits itself for finding this one, it also acknowledges Citizen Lab for its assistance.
The two flaws are related to a new attack vector discovered in use by NSO Group’s Pegasus spyware. Citizen Lab published a news release today outlining a new BLASTPASS exploit chain found in iOS 16.6 as a “zero-click, zero-day exploit” that’s “capable of compromising iPhones running the latest version of iOS (16.6) without any interaction from the victim.”
We refer to the exploit chain as BLASTPASS. The exploit chain was capable of compromising iPhones running the latest version of iOS (16.6) without any interaction from the victim. The exploit involved PassKit attachments containing malicious images sent from an attacker iMessage account to the victim.Citizen Lab
The team at Citizen Lab is using everyone to immediately update their devices to iOS 16.6.1 to defend against this new attack. They also commend Apple for its “rapid investigative response and patch cycle” and “acknowledge the victim [of the attack] and their organization for their collaboration and assistance” in bringing it to Citizen Lab’s attention so that it could be reported to Apple and patched.
Apple’s update will secure devices belonging to regular users, companies, and governments around the globe. The BLASTPASS discovery highlights the incredible value to our collective cybersecurity of supporting civil society organizations.Citizen Lab
Citizen Lab also encourages those who may face an increased risk of being targeted by Pegasus “because of who they are or what they do” to enable Apple’s Lockdown Mode.
