Apple has released emergency updates iOS 14.8, iPadOS 14.8, macOS 11.6, and watchOS 7.6.2 to fix a Pegasus vulnerability on iPhones, iPads, Macs, and Apple Watches. The flaw was disclosed by Citizen Lab (a cyber-research unit of the University of Toronto) on Monday and allowed a hacker using NSO’s Pegasus malware to gain access to a device belonging to a Saudi activist.
This was done by using a security flaw in Apple’s Messages app. Apple said that this flaw could be exploited through a “maliciously crafted” PDF file. The flaw was a zero-day vulnerability, i.e., it was either unknown to Apple or they had simply not developed a patch for it at the time.
Moreover, the exploit was a zero-click exploit, which means that victims don’t have to click on the malicious file for it to infect their devices. Rather, it executes on its own using a security hole.
“After identifying the vulnerability used by this exploit for iMessage, Apple rapidly developed and deployed a fix in iOS 14.8 to protect our users,” Ivan Krstić, head of security engineering and architecture at Apple, said in a statement. “We’d like to commend Citizen Lab for successfully completing the very difficult work of obtaining a sample of this exploit so we could develop this fix quickly.”
Apple has also outlined the vulnerability and its fix in a support document posted on September 13:
CoreGraphics
- Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
- Impact: Processing a maliciously crafted PDF may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
- Description: An integer overflow was addressed with improved input validation.
- CVE-2021-30860: The Citizen Lab
The fixes with the Apple iOS 14.8 emergency update are for CoreGraphics as well as WebKit:
WebKit
- Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
- Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
- Description: A use after free issue was addressed with improved memory management.
- CVE-2021-30858: an anonymous researcher
The emergency iOS 14.8 update release comes just a day before the much-awaited Apple launch event that will be announcing stuff like the all-new iPhone 13 series, Apple Watch 7, and the AirPods 3. We may also be hearing more about iOS 15 that will likely contain further security improvements.
RELATED:
- Apple’s Back to School Promotion suggests October Event for new Mac and iPad is imminent
- Kuo hints Apple Watch Series 7 production challenges have now been resolved
- Apple iPhone SE 3 will be the cheapest 5G iPhone, Concept renders Surfaced
- Kuo: Apple Watch Series 8 and Future AirPods to include Body Temperature sensor for better Health Management
