The iPhone 13 may be ready to launch tomorrow, but Apple is working swiftly to patch a major vulnerability with a new update for its devices. iOS 14.8, iPad 14.8, and watchOS 7.6.2, none of which were previously given a beta testing period. While none have major features as you might expect ahead of tomorrow’s “California Streaming” event, these are important security updates, as they Fixes two system vulnerabilities.
Potentially more serious is Pegasus, an aggressive spyware discovered by Israel’s NSO Group. This “zero-click” exploit Requires no input from the user of the phone to take effect, and was being used exclusively Against activists in Bahrain, including members of the Bahrain Center for Human Rights. By defeating Apple’s BlastDoor security system, ForcedEntry was able to install the Pegasus spyware suite for the purpose of exploit monitoring.
According to the New York Times, spyware is capable of infecting a wide range of Apple devices. Once infected, it can turn on your device’s camera and microphone, record messages, and access texts, emails, and calls, even encrypted ones.
The second vulnerability allows attackers to get around Blastdoor, which was implemented in January to put a line of defense between the Messages app and the rest of iOS.
Messages has traditionally been the weakest link in the security of iOS devices, as Apple didn’t do a good job of cleaning up incoming data from other users; At its nadir, it was possible for a bad actor to take control of someone else’s iPhone by sending them a specific text message or photo. BlastDoor works by filtering out incoming bad code.
According to official patch notesNew updates affect CoreGraphics and WebKit, and fix issues affecting “maliciously crafted” PDF and Web content. These issues, according to Apple’s typically vague policies, “may have been actively exploited.”
It follows a story spread in July and August about a new hack, called “ForcedEntry” by researchers at the University of Toronto’s Citizen Lab, that was able to defeat the Blastdoor.
It’s important here that Apple’s new update comes a day before the “California Streaming” event unveils the iPhone 13 and other devices, and just before the expected release of iOS 15. Monday’s update may be the last for iOS 14, and comes at a time when it would have been easy to miss otherwise. This shows the importance of the update that Apple releases it at all, rather than just rolling the can down the road and fixing it with the iOS 15 rollout.
All three updates are available over-the-air at the time of writing and replace iOS 14.7.1, iPadOS 14.7.1 and WatchOS 7.6.1.