Apple Patches Major iPhone, iPad Vulnerability

The patch is reportedly for the iMessage app and relates to NSO Group spyware that was recently used to breach the iPhones of numerous activists and journalists.

ARTICLE TITLE HERE

Apple has released patches for iPhone and iPad devices that address an iMessage vulnerability reportedly used by spyware maker NSO Group.

The Citizen Lab at the University of Toronto reported discovering the zero-day, zero-click iMessage exploit—which the research group says was used by NSO Group to infect a Saudi activist’s iPhone with its Pegasus spyware.

In July, the Washington Post and other media outlets reported that Israel-based NSO Group has licensed its spyware—which purports to be for tracking terrorists and criminal suspects—to numerous governments.

id
unit-1659132512259
type
Sponsored post

The spyware has reportedly been used to target journalists, activists, executives and individuals close to Jamal Khashoggi, the Saudi journalist who was murdered in 2018, according to the Post.

[Related: 25 Coolest Mobile Security And Management Tools Of 2021: The Mobile 100]

In disclosing its iOS 14.8 and iPadOS 14.8 patches, Apple credits The Citizen Lab for uncovering the vulnerability (which has been assigned CVE-2021-30860 by Apple).

The vulnerability involves a “maliciously crafted PDF [that] may lead to arbitrary code execution,” Apple said in its description of the iOS and iPadOS patches.

“Apple is aware of a report that this issue may have been actively exploited,” the company said.

In a statement provided to CRN on Monday, Ivan Krstić, head of security engineering and architecture at Apple, confirmed that the exploit affected iMessage.

“After identifying the vulnerability used by this exploit for iMessage, Apple rapidly developed and deployed a fix in iOS 14.8 to protect our users,” Krstić said, commending The Citizen Lab for its work that enabled Apple to “develop this fix quickly.”

The Apple executive’s statement also indicated that this type of attack is “not a threat to the overwhelming majority of our users.”

“Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals,” Krstić said in the statement.

In July, human rights group Amnesty International said that the NSO Group has breached Apple devices including the iPhone 12 and iPhone 11, and “thousands of iPhones have potentially been compromised.”

Amnesty and nonprofit journalism organization Forbidden Stories shared a list of phone numbers allegedly targeted by the spyware with the Washington Post and other media outlets—which confirmed that 37 smartphones had been subject to attempted or successful hacking.

The NSO Group hacks are “very concerning for the enterprise customer level,” said one executive at a solution provider, who asked to not be identified, in a previous email to CRN.

The incident raises questions about how many other hacking groups might be aware of the exploits, as well as about how enterprises can protect their executives and workforces, the executive said.

The Citizen Lab has dubbed the newly discovered iMessage exploit “FORCEDENTRY,” and said that the exploit is believed to have been in use since this past February.

“Our latest discovery of yet another Apple zero day employed as part of NSO Group’s arsenal further illustrates that companies like NSO Group are facilitating ‘despotism-as-a-service’ for unaccountable government security agencies,” a team of researchers at The Citizen Lab said in its blog post Monday.

The finding “also highlights the paramount importance of securing popular messaging apps,” The Citizen Lab researchers said.