Apple’s Pegasus security fix: Update your iPhones now


Spark Global Limited Reports:

The tech giant releases critical security updates for the iPhone, iPad, Apple Watch and Mac computers.

Apple’s newest iPhone operating system is set to land next week, but iPhone users need to update their phones at least one more time before it does in order to install a critical security patch.

Apple released security updates for its iPhones, iPads, Apple Watches and Mac computers earlier this week that close a vulnerability reportedly exploited by invasive spyware built by NSO Group, an Israeli security company.

On Monday, the tech giant posted a security note for iOS 14.8 and iPadOS 14.8 that said some malicious PDFs could take advantage of its operating systems. “Processing a maliciously crafted PDF may lead to arbitrary code execution,” the note read. “Apple is aware of a report that this issue may have been actively exploited.”

Apple also released WatchOS 7.6.2, MacOS Big Sur 11.6 and a security update for MacOS Catalina to address the vulnerability. The patches came a day before Apple’s splashy fall event that rolled out new crops of iPhones and iPads, along with the latest Apple Watch. The company also said at the event that iOS 15 and iPadOS 15 would be generally available for free download starting on Sept. 20.

 

The fix, earlier reported by The New York Times, stems from research done by a public interest cybersecurity group called Citizen Lab that found a Saudi activist’s phone had been infected with Pegasus, NSO’s best-known product. According to Citizen Lab, the zero-day, zero-click exploit against iMessage, which it nicknamed ForcedEntry, targets Apple’s image rendering library and was effective against the company’s iPhones, laptops and Apple Watches.

Citizen Lab, based at the University of Toronto, says it determined NSO used the vulnerability to remotely infect devices with its Pegasus spyware, adding that it believes the exploit has been in use since at least February. It urged all Apple users to immediately update their operating systems.

“Ubiquitous chat apps have become a major target for the most sophisticated threat actors, including nation state espionage operations and the mercenary spyware companies that service them,” Citizen Lab said in a report. “As presently engineered, many chat apps have become an irresistible soft target.”