Apple releases emergency patch to protect all devices against Pegasus spyware

Designed to combat zero-day flaws exploited in Apple's operating systems, the patch applies to the iPhone, iPad, Apple Watch and Mac.

iphone-12-pro.jpg

Image: Apple

Apple has pushed out an update for most of its major products to protect them from a strain of spyware that has already targeted a number of people. On Tuesday, the company rolled out the emergency patch to squash a bug that impacted the iMessage app built into iOS, iPadOS, watchOS and macOS. The flaw allowed hackers to spy on devices without the knowledge of users and was exploited by the NSO Group's Pegasus spyware to compromise the phones of journalists, activists and other prominent individuals.

SEE: How to migrate to a new iPad, iPhone, or Mac (TechRepublic Premium)

The patch is delivered through iOS 14.8/iPadOS 14.8 for iPhones and iPads, watchOS 7.6.2 for the Apple Watch Series 3 and later, and macOS Big Sur 11.6 for Mac computers. In its support documents, Apple said that it is aware of a report that this issue may have been actively exploited. As such, all users are advised to update their devices to the latest versions.

The Pegasus spyware and the vulnerability in iOS first drew attention in 2016 following reports from security firm Lookout and the University of Toronto's Citizen Lab. The two groups had alerted Apple that the bug could allow hackers to remotely jailbreak iPhones and steal messages, call information, emails, logs and other sensitive information. As just one example, the exploit was used by Pegasus to compromise the iPhone of Ahmed Mansoor, an internationally-recognized human rights defender in the United Arab Emirates.

The problem again garnered attention this past July following a report from Amnesty International. The group found that the Pegasus spyware was able to infect iPhone 11 and iPhone 12 models through zero-day attacks in the iMessage app. Among the 67 smartphones analyzed by Amnesty International, Pegasus infections or attempted infections were discovered on 37 of them, according to The Washington Post. The iPhones were outfitted with the latest iOS update at the time, specifically iOS 14.6.

SEE: Apple supplier Quanta hit with $50 million ransomware attack from REvil (TechRepublic) 

On Monday, the Citizen Lab published a new report stating that the Pegasus spyware took advantage of a zero-day zero-click exploit against iMessage. Dubbed FORCEDENTRY, the exploit targeted Apple's image rendering library and was effective against iOS, MacOS and WatchOS devices. The reference to zero-click means that a user need not click, tap or even open a message for the spyware to be installed and subsequently compromise the device.

Asserting that NSO Group took advantage of the vulnerability to infect Apple devices with the Pegasus spyware, Citizen Lab said it believes FORCEDENTRY has been used since at least February 2021. After its analysis, Citizen Lab disclosed the flaw to Apple, prompting the company to create and deploy the necessary patches.

How significant a threat is the Pegasus spyware to the average user? That depends on who you ask.

The NSO Group has criticized the findings of Lookout and Citizen lab, claiming that it "sells its technologies solely to law enforcement and intelligence agencies of vetted governments for the sole purpose of saving lives through preventing crime and terror acts."

SEE: How to safely add folders to iCloud in macOS (TechRepublic) 

In an earlier statement, Apple said these types of attacks are "highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals." The company added that it doesn't see these as a threat to the overwhelming majority of users, but it said it would work to defend all customers. And Apple did end up fixing the vulnerability, so it must have seen it as a serious enough threat to react with an emergency patch.

Though Apple has squashed this specific bug in its messaging app, how can users and organizations protect themselves from similar exploits?

"In the past, users could be trained to avoid spyware infections by looking out for suspicious SMS messages and making sure not to click on links from any numbers they did not recognize," said Kevin Dunne, president at security firm Pathlock.

"However, spyware attackers have now engineered zero-click attacks, which are able to get full access to a phone's data and microphone/camera by using vulnerabilities in third-party apps or even built-in applications," Dunne added. "Organizations need to make sure they have control over what applications users download on to their phones and can ensure they are up to date, so any vulnerabilities are patched."

Also see

By Lance Whitney

Lance Whitney is a freelance technology writer and trainer and a former IT professional. He's written for Time, CNET, PCMag, and several other publications. He's the author of two tech books--one on Windows and another on LinkedIn.