It is not usual that just a few days after the release of iOS 17, Apple launches yet another update of the previous operating system (the still current iOS 16) and if it does so it is for a reason: if you have an iPhone or an iPad and you get carried away by laziness when it comes to updating, this time it is worth doing it more than ever because although there is no news, In iOS 16.6.1 there are two patches that fix two extremely dangerous security holes in your mobile operating system.
Because the update that Apple released a few hours ago is critical, since it solves two zero-day vulnerabilities: CVE-2023-41064 and CVE-2023-41061. What are zero-day vulnerabilities? Essentially security flaws that come to light before research and development teams find them, thus making them a top-level risk.
These vulnerabilities open the doors to Pegasus spyware
CVE-2023-41064 and CVE-2023-41061 are known as Blastpass and are intended to enable images and attachments to install malware on the device. Thus, for example, loading a malicious image from WhatsApp or Safari could trigger the installation of malware. This way of proceeding is known as steganography, that is, hiding a file within another file, something that works by inserting malicious code into the hidden data that comes from an a priori harmless file.
This security breach was located by the Citizen Lab security research center, which shared the data with Cupertino last week and has also offered information on how it works and which computers are affected.
Apple details that this problem affects all newer iPhones and iPads. Thus, it is available for iPhone 8 and later, all iPad Pro models, the third generation iPad Air and later, the fifth generation iPad and later, and the fifth generation iPad mini and later.
More specifically, it affects those Apple devices that run the latest version of iOS 16 (16.6) and worse, which can do it without the need for interaction with the victim. According to Citizen Lab, Blastpass is being used to stream ‘NSO Group’s Pegasus mercenary spyware‘.
Pegasus is spyware developed by a private team for use by government agencies, so it infects a phone and sends data, including photos, messages, and audio/video recordings. So Even if you are not an “attractive” target for this type of spying, you should install iOS 16.6.1 because there are those who seek to get the most out of these exploits outside its primary use.
This is how you can protect yourself from the threat
In order not to make it easier for potential attackers and spies, Citizen Lab has not provided the full breakdown of the vulnerability, but it affects PassKit (the framework behind such critical applications as Apple Pay and Wallet). An important fact: Citizen Lab explains that the isolation mode of iOS 16 is capable of protecting users from this breach, so if you consider that you could be the target of this type of attackit is advisable that you run this mode until you can update.
How to install iOS 16.6.1? If you have iOS 16 on your device, go to ‘Settings’ > ‘General’ and in ‘Software Update’, tap on download and install and wait for the operation to finish.
Taking into account that ‘Wonderlust’ Keynote is just around the corner (it will be next Tuesday, October 12) where we hope to see the new iPhone 15, it is normal that this is the last update before the announcement of iOS 17.
Cover | Assembly with iOS 16 from Xataka Móvil and Devriesx, CC BY-SA 4.0, via Wikimedia Commons
In Xataka Mobile | I couldn’t resist and tried iOS 17 on my iPhone: these are all the changes I have found