They reportedly fix bugs exploited by NSO’s Pegasus spyware
Apple has released a suite of new updates for iOShandjob Mac OS, And watchOS to fix a bug Security Researcher in Citizen Lab The great potential was exploited to allow government agencies to install spyware into the phones of journalists, lawyers and activists. Researchers say the bug allowed for “zero-click” installs (meaning the target didn’t have to do anything to become infected) of Pegasus spyware, which allegedly could be used to steal data, passwords and more. Is able to activate the phone’s microphone. Camera. You can read our Pegusus lecturer here for more information.
Given the severity of the exploit, you should update to iOS 14.8, macOS Big Sur 11.6, and watchOS 7.6.2 as soon as possible.
We heard about the exploitation in August, When Citizen Lab Reported That it was used successfully against a phone running iOS 14.6 (released in May). Citizen Lab also said that the vulnerability, codenamed “ForcedEntry,” an exploit matched the behavior of Amnesty International. written about july. At the time, security researchers wrote that this was made possible by a bug in Apple’s CoreGraphics system, and it occurred when the phone attempted to use a GIF-related function, followed by receiving a text message containing a malicious file. Happened.
However, even with that information, it can be difficult to tell exactly what was happening without access to the infected files. According to Citizen Lab, he discovered the files while re-analyzing a backup from a worker’s hacked phone. The files appear to be GIFs sent as SMS attachments, but were in fact PSD and PDF. (Apple’s update notes The problem is said to have occurred while processing maliciously crafted PDFs.) Citizen Lab suspected they might be related to Pegasus, so it sent the files to Apple on September 7. Apple released a software update patching the bug on September 13th.
Some of Monday’s updates also fix a second security issue with WebKit for iOS and macOS Big Sur (not mentioned in Catalina’s release notes). While it’s unclear whether this is related to NSO’s exploits — its discovery has been attributed to “an anonymous researcher” rather than Citizen Lab, and it’s in a different part of the system — Apple still says its “May have been actively exploited.”
Such an urgent security issue explains why we’re seeing a new update for iOS just a day before the Apple event, where new phones are expected to be announced that will probably never run this version of the OS. Still, there are rumors about the iOS 14.8 release. from the beginning of august, but given that Monday’s release appears to only deal with security issues discovered in September, it’s possible that we’ll see at least one more iOS 14 release.
It seems that CoreGraphics’ PDF rendering has been problematic lately when it comes to security. iOS 14.7 also includes a fix For a different problem with the system, which can lead to arbitrary code execution. WebKit recently made some updates to fix security issues that Apple says “may be actively exploited.” When news of the CoreGraphics exploit broke in August, apple told Nerdshala It was working on improving security for iOS 15.
All of this serves as a reminder of how important it is to keep all of your devices up-to-date. While you’ll hopefully never find yourself on the bad side of a government that uses advanced spyware, it’s still a good idea to make sure your device isn’t vulnerable to widely reported security exploits. Thankfully, Apple is rental plan Users install security updates for iOS 14 without upgrading to iOS 15, which may be useful for any future improvements. However, for the time being, get all your devices updated as soon as possible.