If you’re using Apple products including the iPhone, iPad, Apple Watch and Mac, you are urged to update your devices as soon as possible. For iPhone and iPad users, the latest iOS 14.8 updates will fix a security bug on iMessage which can be exploited by Pegasus spyware.
How to update your devices?
To update your iPhone and iPad to iOS 14.8, go to Settings > General > Software Update. The update is approximately less than 400MB in size and it requires a WiFi connection.
To update your Apple Watch to watchOS 7.6.2, launch the Watch app on your iPhone, and then head to General > Software Update. Take note that your iPhone must be connected to WiFi and your Apple Watch is on the charger with at least 50% battery to proceed with the update.
For Mac users, you are also recommended to update to macOS Big Sur 11.6 as soon as possible. Click on the Apple menu on the top corner of the screen, go to Systems Preferences > Software Updates and click Update Now.
NSO Group iMessage Zero-Click Exploit
The security exploit was raised by the Citizen Lab as it discovered that a Saudi activist’s device was infected by NSO Group’s Pegasus spyware. It is said that the spyware had exploited an iMessage vulnerability and it works against iOS, MacOS and WatchOS devices. Since this is a zero-click exploit, a device can get infected without requiring the user to do anything.
The Citizen Lab disclosed the vulnerability and code to Apple, which has assigned the FORCEDENTRY vulnerability CVE-2021-30860 and describes the vulnerability as “processing a maliciously crafted PDF may lead to arbitrary code execution.”
— Citizen Lab (@citizenlab) September 13, 2021
According to Apple’s security update page, it mentions that the security issue allows the processing of maliciously crafted PDF which may lead to arbitrary code execution. Apple is aware of a report that the issue may have been actively exploited in the wild.
Apple’s head of Security Engineering and Architecture told 9to5Mac in a statement:
“After identifying the vulnerability used by this exploit for iMessage, Apple rapidly developed and deployed a fix in iOS 14.8 to protect our users. We’d like to commend Citizen Lab for successfully completing the very difficult work of obtaining a sample of this exploit so we could develop this fix quickly. Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals. While that means they are not a threat to the overwhelming majority of our users, we continue to work tirelessly to defend all our customers, and we are constantly adding new protections for their devices and data.”
It was reported by the Washington Post that Pegasus is a military-grade spyware licensed by an Israeli firm to governments to track terrorists and criminals. However, the spyware was allegedly used to hack 37 phones belonging to journalists, human rights activities, business executives, and individuals close to Saudi journalist Jamal Khashoggi.