Apple Releases iOS 14.8 With Security Update To Close Spyware Flaw
Apple on monday security updates released for its iPhone, iPad, Apple Watch and Mac computers that close a vulnerability would have exploited by invasive spyware built by ONS Group, an Israeli security company.
The tech giant security note for iOS 14.8 and iPadOS 14.8 states: “Processing a maliciously crafted PDF may lead to the execution of arbitrary code. Apple is aware of a report indicating that this issue may have been actively exploited.” Apple also released WatchOS 7.6.2, MacOS Big Sur 11.6, and a security update for MacOS Catalina to address the vulnerability.
The fix, previously reported by The New York Times, stems from research by The Citizen Lab, a public interest cybersecurity group that discovered that a Saudi activist’s phone had been infected with Pegasus, the product the best known from the NSO group. According to Citizen Lab, the zero-day zero-click exploit against iMessage, which he dubbed ForcedEntry, targets Apple’s image rendering library and has been effective against iPhones, laptops and Apple watches in the United States. business.
Citizen Lab, based at the University of Toronto, said it had determined that NSO had used the vulnerability to remotely infect devices with its Pegasus spyware, adding that it believed the exploit had been in use since at least February this year. year. He urged all Apple users to update their operating systems immediately.
“Ubiquitous chat apps have become a major target for the most sophisticated players, including nation-state spy operations and the mercenary spyware companies that serve them.” Citizen laboratory said in a report. “As currently designed, many chat apps have become an irresistible soft target.”
The news of the security update comes as Apple prepares for one of its most important annual events, the fall rollout of new products. The company is expected to unveil the new iPhones, iPads and Apple Watches on Tuesday. Concerns about the safety of these products would likely affect sales.
Apple thanked Citizen Lab for providing a sample of the exploit, which the iPhone maker said was not a threat to most of its users.
“Attacks like the ones described are very sophisticated, cost millions of dollars to develop, often have a short lifespan, and are used to target specific individuals,” said Ivan Krstić, who heads engineering and operations operations. Apple’s security architecture, in a statement. “While this means that they are not a threat to the overwhelming majority of our users, we continue to work tirelessly to defend all of our customers, and we are constantly adding new protections for their devices and data. “
In July, able to access and save texts, videos, photos and web activity, as well as passive saving and retrieving passwords on a device.attempted or successful installations of Pegasus on 37 telephones of activists, journalists and businessmen. All but three of the devices were iPhones. Some people appear to have been the target of covert surveillance via Pegasus, software believed to be used to pursue criminals and terrorists. Spyware would be
NSO released a statement Monday evening that did not directly address Apple’s update, but said it will “continue to provide intelligence and law enforcement agencies around the world with life-saving technologies to fight against terrorism and crime “.
The company, which licenses surveillance software to government agencies, says its Pegasus software helps authorities fight criminals and terrorists who take advantage of encryption technology to go. “dark. “Pegasus secretly runs on smartphones, giving insight into what their owners are doing. Other companies provide similar software.
CEO Shalev Hulio co-founded the company in 2010. In addition to Pegasus, NSO offers other tools that can track where a phone is in use, defend against drones, and harness data from forces of the United States. the order to locate the models.
NSO has been involved in other hacks, including the High-profile hack from Amazon founder Jeff Bezos in 2018. That same year, a Saudi dissident sued the company for its alleged role in hacking a device belonging to journalist Jamal Khashoggi, who was assassinated inside the Saudi Embassy in Turkey.