Apple has released emergency updates iOS 14.8, iPadOS 14.8, macOS 11.6, and watchOS 7.6.2 to fix a Pegasus vulnerability on iPhones, iPads, Macs, and Apple Watches. The flaw was disclosed by Citizen Lab (a cyber-research unit of the University of Toronto) on Monday and allowed a hacker using NSO’s Pegasus malware to gain access to a device belonging to a Saudi activist.

This was done by using a security flaw in Apple’s Messages app. Apple said that this flaw could be exploited through a “maliciously crafted” PDF file. The flaw was a zero-day vulnerability, i.e., it was either unknown to Apple or they had simply not developed a patch for it at the time.

Moreover, the exploit was a zero-click exploit, which means that victims don’t have to click on the malicious file for it to infect their devices. Rather, it executes on its own using a security hole.

“After identifying the vulnerability used by this exploit for iMessage, Apple rapidly developed and deployed a fix in iOS 14.8 to protect our users,” Ivan Krstić, head of security engineering and architecture at Apple, said in a statement. “We’d like to commend Citizen Lab for successfully completing the very difficult work of obtaining a sample of this exploit so we could develop this fix quickly.”

Apple has also outlined the vulnerability and its fix in a support document posted on September 13:

CoreGraphics

• Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
• Impact: Processing a maliciously crafted PDF may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
• Description: An integer overflow was addressed with improved input validation.
• CVE-2021-30860: The Citizen Lab

The fixes with the Apple iOS 14.8 emergency update are for CoreGraphics as well as WebKit:

WebKit

• Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
• Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
• Description: A use after free issue was addressed with improved memory management.
• CVE-2021-30858: an anonymous researcher

The emergency iOS 14.8 update release comes just a day before the much-awaited Apple launch event that will be announcing stuff like the all-new iPhone 13 series, Apple Watch 7, and the AirPods 3. We may also be hearing more about iOS 15 that will likely contain further security improvements.

RELATED:

• Apple’s Back to School Promotion suggests October Event for new Mac and iPad is imminent
• Kuo hints Apple Watch Series 7 production challenges have now been resolved
• Apple iPhone SE 3 will be the cheapest 5G iPhone, Concept renders Surfaced
• Kuo: Apple Watch Series 8 and Future AirPods to include Body Temperature sensor for better Health Management

The post Apple rolls out emergency update to fix Pegasus spyware vulnerability on iPhones, iPads, and Macs appeared first on Gizmochina.