Apple releases urgent security update to address critical spyware vulnerability

Apple releases urgent security update to address critical spyware vulnerability

Image:
Apple releases urgent security update to address critical spyware vulnerability

Move comes after researchers found malicious image files transmitted to the phone of a Saudi activist via the iMessage instant messaging app

Apple has released a suite of new updates for iOS, watchOs and macOS to fix a critical bug that security researchers say has been exploited by a notorious spyware to spy on a Saudi activist.

The researchers from the University of Toronto's Citizen Lab said the exploit, which has existed since February 2021, enables attackers to deploy NSO Group's Pegasus spyware on an iPhone, iPad, Apple Watch or Mac computer, without requiring the users to click on any links.

After it is installed on a device, the spyware can steal confidential data, including passwords, and also activate a phone's camera or microphone.

The researchers said they found several malicious image files transmitted to the phone of a Saudi activist via the iMessage instant messaging app. While those files appeared to be GIFs, they were actually PDFs and PSDs. The device was eventually hacked by the Pegasus spyware, the researchers alleged.

They named the iMessage exploit 'Forcedentry', and said that the bug makes the iPhones susceptible to remote data theft and eavesdropping.

It applies to all Apple devices, they added.

The researchers discovered the malicious files on activist's iPhone on 7 September, following which they immediately alerted Apple.

Apple security chief Ivan Krstic said that after identifying the iMessage vulnerability, Apple quickly released a fix in iOS 14.8 to protect customers.

As per Apple's release notes, iOS 14.8 is a security-focused update that is recommended for all users.

The company thanked Citizen Lab for 'completing the very difficult work of obtaining a sample of this exploit'.

Citizen Lab alleged that their findings undermine the assertion by Israeli firm NSO Group that it only sells software to law enforcement agencies for use against terrorists and criminals.

The latest findings from Citizen Labs come nearly two months after a series of reports by the Paris-based non-profit organisation Forbidden Stories and Amnesty International, which alleged that NSO Group's hacking tools were used in attempted and successful hacks of 37 phones.

The devices belonged to journalists, rights activists, politicians and other prominent individuals around the world, according to Amnesty International. The allegations were reportedly based on a list of 50,000 phone numbers of potential targets that were believed to be of interest to the clients of the NSO Group.

The Washington Post reported that murdered Saudi journalist Jamal Khashoggi's wife's phone was targeted using Pegasus between September 2017 and April 2018, while his fiancé's phone was infected a few days after his death.

A second bug in Apple software

Some of Monday's security updates released by Apple also address a second security bug with WebKit for iOS and macOS Big Sur.

Apple credited an 'anonymous researcher' for the discovery of this vulnerability and said that it 'may have been actively exploited'.

In July, Apple released an updated version of the iOS mobile operating system which patched a security bug under active attack.

In a security update, Apple said that the vulnerability, tracked as CVE-2021-30807, affects IOMobileFrameBuffer, a kernel extension for managing the screen framebuffer on Apple devices and could have allowed an attacker to execute arbitrary code with kernel privileges.