Apple has published upgrades to iOS, macOS, and watchOS to address a vulnerability that security researchers at Citizen Lab believe was very likely exploited to enable government agencies to install spyware on the phones of journalists, lawyers, and activists. According to the researchers, the issue enabled a “zero-click” installation (meaning the target did not have to do anything to become infected) of the Pegasus malware, which is capable of stealing data, passwords, and activating a phone’s microphone or camera.
Given the seriousness of the exploit, you should immediately update to iOS 14.8, macOS Big Sur 11.6, and watchOS 7.6.2.
According to Apple’s update website, the company is “aware of a report that this problem has been extensively exploited.”
We first learned of the issue in August, when Citizen Lab stated that it had been successfully exploited targeting iOS 14.6 devices (released in May). Citizen Lab also stated that the vulnerability, dubbed “ForcedEntry,” appeared to replicate the behaviour of an exploit detailed by Amnesty International in July. The security researchers stated at the time that the attack was made possible by a weakness in Apple’s CoreGraphics system and occurred when the phone attempted to use a GIF-related function following receipt of a text message containing a malicious file.
Even with this information, it may be impossible to determine precisely what occurred without access to the infected files themselves. Citizen Lab uncovered the files while re-analyzing a backup from a hacked activist’s phone. The files were provided as SMS attachments and appeared to be GIFs, but were actually PSDs and PDFs. (According to Apple’s update notes, the vulnerability occurred during the processing of a maliciously created PDF.) Citizen Lab felt they might be connected to Pegasus and therefore forwarded the files to Apple on September 7th. On September 13th, Apple provided software patches that addressed the bug.
iOS 14.8 appears to be solely concerned with security.
Several of Monday’s upgrades also address a second security vulnerability in WebKit for iOS and macOS Big Sur (though this is not mentioned in the Catalina release notes). While it is unclear whether this is related to NSO’s exploits its discovery is credited to “an anonymous researcher” rather than Citizen Lab, and it is located in a different portion of the system – Apple continues to assert that it “may have been actively exploited.”
Such a critical security flaw explains why we’re seeing a fresh iOS update just one day before Apple’s scheduled announcement of new phones that will almost certainly never run this version of the OS. Still, reports of an iOS 14.8 release have been circulating since early August, but considering that Monday’s release appears to address only the security concerns revealed in September, it’s possible we’ll see at least one more iOS 14 update.
CoreGraphics’ PDF rendering appears to have had security issues in the recent past. Additionally, iOS 14.7 contains a fix for a seemingly unrelated system vulnerability that might result in arbitrary code execution. WebKit has also received many patches recently to address security flaws that Apple claims have been “being exploited.” When the CoreGraphics issue was disclosed in August, Apple informed TechCrunch that it was working to improve iOS 15’s security.
All of this serves as a reminder of the critical nature of keeping all of your devices up to date. While you hope to never come into conflict with a government that employs sophisticated spyware, it’s still a good idea to ensure that your device is not exposed to widely publicised security flaws. Fortunately, Apple intends to allow customers to install security upgrades for iOS 14 without upgrading to iOS 15, which could be beneficial for any future fixes. For the time being, however, ensure that all of your devices are updated as soon as possible.