Two new major software vulnerabilities, cataloged as CVE-2023-41064 and CVE-2023-41061 but nicknamed “BLASTPASS”, threaten to become a nightmare for Apple just days before the launch of its new phones.

Discovered by the Citizen Lab and the University of Toronto, these are two previously unknown errors in the system that allow you to take control of a device or install a spy program just by uploading an image or attachment to a web page or an email, without the user needing to click a button or a link. They also take advantage of a bug present in the company’s electronic payments application, installed on all devices by default.

Both are what are commonly known as “zero-day vulnerabilities”, which are a security vulnerability in a software or operating system unknown to the manufacturer or developer and, therefore, have not been been corrected.

The term “zero-day” refers to the fact that the creators of the software are not aware of the vulnerability until someone exploits it or reports it to the responsible company. This means there are no “days” of head start for users or manufacturers to address the vulnerability before it is potentially exploited by attackers.

Zero-day vulnerabilities are especially dangerous because cybercriminals can exploit them before a patch or security fix is ??developed. When a zero-day vulnerability is discovered, it is usually kept secret so that the software manufacturer has the opportunity to create and distribute a patch before attackers use it in attacks. This has been the case with BLASTPASS, shortly after the problem was made public, Apple already had the versions of its operating systems ready to correct it, but it is necessary to install the latest updates to iOS 16, iPadOS 16, watchOS 16 and macOS 13 (the current versions of operating systems) so that it cannot be exploited.

The group that has detected the bug claims that there is at least one case in which it has been used to compromise a person’s phone. This is the worker of an international organization based in Washington DC. The vulnerability allowed attackers to install a copy of NSO’s Pegasus spyware, used by security agencies in many countries to spy on the communications of activists or political rivals.

“The vulnerability is capable of compromising iPhones with the latest version of iOS (16.6) without any interaction from the victim,” the researchers explain.