Last Week on My Mac: How quickly can Apple release a security update?

We seldom get much insight into how long Apple takes to release an urgent update to macOS, but last week must have seen one of the quickest in recent times. By my reckoning, Apple’s engineers accomplished that in 6-10 days, across four of its operating systems, and with two distinct vulnerabilities.

The story began in The Citizen Lab at the University of Toronto’s Munk School, who announced the discovery of new malware named BLASTPASS in a brief news item on 7 September, the same day that Apple released those updates. According to that, “last week” when they were checking an iPhone running the then current release of iOS (16.6) they “found an actively exploited zero-click vulnerability” that had been used to deliver Pegasus spyware. They believe the attacker had sent the victim PassKit (Wallet) attachments containing malicious images, via iMessage. Although the victim hadn’t opened those attachments, their iPhone had installed the spyware as a result.

It’s worth pointing out that this isn’t the type of attack that you or I would be likely to experience: the victim was a potential target for a sophisticated attack because of their employment, and The Citizen Lab identified the malware as originating from the infamous NSO Group, who specialise in this sort of deep surveillance.

The reference to “last week” makes it likely that The Citizen Lab reported this to Apple’s security team between 28 August and 1 September. On 7 September, Apple released four updates to its operating systems to address the two vulnerabilities that were discovered during analysis of the attack.

The Citizen Lab had already identified a bug in the ImageIO framework, which Apple realised extended to macOS Ventura 13.5.1, iOS 16.6 and iPadOS 16.6. They had also provided Apple with the information that led to its discovery of another bug in the PassKit framework that had enabled this to work without the user tapping or clicking the malicious image, and that affected iOS 16.6, iPadOS 16.6 and watchOS 9.6.1.

The engineers then had to come up with fixes to both of these. That in ImageIO required improvements to memory handling, to ensure that a buffer couldn’t overflow, while that in PassKit required improvements to the logical flow of code to ensure crafted attachments were properly validated. For macOS, that meant a new version of ImageIO.framework, taking it up just a single build increment to version 3.3.0, build 2387.7.4. Those fixes then had to be built into new versions of the four operating systems, and were released on 7 September, between 6-10 days of The Citizen Lab’s original report to Apple.

It may be purely coincidental, but on 6 September, the day before those updates, Apple had released the first new version of XProtect’s Yara definitions for two months. XProtect version 2170 added a new detection signature for malware with the code name MACOS.16e6816. I look forward with interest to a security researcher identifying that.*

To put these periods into context, in Ventura the interval between release of an RSR fixing vulnerabilities and its incorporation into a full macOS update has been at least 14 days, and the fix to macOS 13.5 to address loss of access to Location Services controls in 13.5.1 took around 21 days from Feedback report to update.

What we don’t yet know, though, is how widespread are these bugs in ImageIO and (for iOS, iPadOS and watchOS) in PassKit. If the same bug remains in macOS Big Sur, it’s unlikely to get fixed at all, although the next security update to Monterey may well address it. Apple must also be incorporating it into the next scheduled update to Ventura, 13.6, which has been testing as a release candidate since before this all happened. It will probably also need to go into the next beta-release of Sonoma.

If you think that you might be the target of Pegasus spyware from the NSO Group, and are running an unpatched version of macOS, iOS, iPadOS or watchOS, now is the time to upgrade or update. The Citizen Lab has been advised by Apple’s security team that Lockdown Mode should also block this particular attack, but that’s only available in Ventura, iOS 16 and iPadOS 16, so is of no help if you’re still with Monterey or other earlier versions of those operating systems. This is why most security researchers now stress the importance of running the current releases of macOS, iOS and iPadOS.

Stay safe.

* This has now been identified by Phil Stokes of SentinelOne as detecting some variants of MetaStealer, and is nothing to do with BLASTPASS after all. [Added 11 September 2023.]

9Comments

Add yours

1

Milo on September 10, 2023 at 4:11 pm

My Mother uses an iMac which can not be upgraded past Monterey. It’s not clear if that version of macOS is also vulnerable to this specific iMessage bug. Since Monterey hasn’t received an update yet, I’m now wondering if I should advise here to disable iMessage in the meantime, just to be on the safe side.

LikeLiked by 1 person
- 2
  
  hoakley on September 10, 2023 at 7:24 pm
  
  For the moment, I would only be concerned if she were likely to be a surveillance target for the NSO Group’s Pegasus spyware. The danger, of course, is that other malware developers use the same exploits in the future. Hopefully, the next security update to Monterey will address this.
  Howard.
  
  LikeLike
3

sclsjoy on September 10, 2023 at 7:00 pm

The email notification seems to be blank, i.e. the content of this article is missing.

LikeLiked by 1 person
- 4
  
  sclsjoy on September 10, 2023 at 7:01 pm
  
  Seems to start from the article ‘Some forms of encrypted storage still don’t work properly’
  
  LikeLiked by 1 person
- 5
  
  hoakley on September 10, 2023 at 7:02 pm
  
  I’m sorry about that, but have no control over that, as it’s a feature buried deep in WordPress.
  Has this affected anyone else?
  Howard
  
  LikeLike
6

Samual on September 10, 2023 at 7:14 pm

Is there any way in knowing if a device has been compromised for this particular issue?

LikeLiked by 1 person
- 7
  
  hoakley on September 10, 2023 at 7:27 pm
  
  Well, the payload delivered is NSO Group’s Pegasus. If you suspect that you may have been a target, you should contact a forensic specialist, Amnesty International’s security team, or The Citizen Lab. AI has made available open source tools, but they’re not intended for end users.
  Howard.
  
  LikeLike
  - 8
    
    Samual on September 10, 2023 at 7:39 pm
    
    Thanks. Unfortunately other sites reporting on this flaw don’t make it clear that the active exploit was limited to just Pegasus and those that would be targeted. Thus I find it very confusing.
    
    LikeLiked by 1 person
    - 9
      
      hoakley on September 10, 2023 at 9:43 pm
      
      No problems. Given the sophistication of the attack, I suspect it will remain confined to Pegasus for the time being. Whether we’ll see this being used in other malware is less certain, of course, although it doesn’t appear to have been used against macOS at all.
      Howard.
      
      LikeLike

Share this:

Related