Apple Issues Urgent iPhone Software Update To Address Critical Spyware Vulnerability

BACKGROUND:

It has been reported that Apple has updated its software for iPhones to address a critical vulnerability that independent researchers say has been exploited by notorious surveillance software to spy on a Saudi activist. The urgent update that Apple released yesterday plugs a hole in the iMessage software that allowed hackers to infiltrate a user’s phone without the user clicking on any links, according to Citizen Lab. The Saudi activist chose to remain anonymous, Citizen Lab said.

Experts Comments

September 15, 2021
Josh Goldfarb
Director of Product Management
F5

The "zero-click" exploit targeting Apple iPhones marks a very interesting turn for users of technology. Since these particular attacks are generally highly targeted, the risk of infection for most everyday users is quite low. Nevertheless, for users that have been trained on statements like "don't open email attachments from someone you don't know", "don't click on links in text messages from unknown senders", and others like them, this is something new entirely. When attackers don't need us to

.....Read More

The "zero-click" exploit targeting Apple iPhones marks a very interesting turn for users of technology. Since these particular attacks are generally highly targeted, the risk of infection for most everyday users is quite low. Nevertheless, for users that have been trained on statements like "don't open email attachments from someone you don't know", "don't click on links in text messages from unknown senders", and others like them, this is something new entirely. When attackers don't need us to play along in order to compromise our devices via phishing/vishing/smishing, it opens up a world of possibilities that feels more like sci-fi than real life. It will be interesting to watch how we as a security community adapt and respond to threats like this one in the coming weeks, months, and years.

  Read Less
September 14, 2021
Jesse Rothstein
CTO and Co-founder
ExtraHop

We all carry highly sophisticated personal devices which have profound implications to personal privacy. There are many examples of this such as app data collection––which Apple recently moved to curb with its App Tracking Transparency framework.

Any sufficiently sophisticated system has security vulnerabilities that can be exploited, and mobile phones are no exception. 

Pegasus is an example of how unknown vulnerabilities can be exploited to access highly sensitive personal information. The

.....Read More

We all carry highly sophisticated personal devices which have profound implications to personal privacy. There are many examples of this such as app data collection––which Apple recently moved to curb with its App Tracking Transparency framework.

Any sufficiently sophisticated system has security vulnerabilities that can be exploited, and mobile phones are no exception. 

Pegasus is an example of how unknown vulnerabilities can be exploited to access highly sensitive personal information. The NSO group is an example of how governments can essentially outsource or purchase weaponized cyber capabilities. This is no different than arms dealing in my view––it’s just not regulated that way. Companies are always going to have to patch their vulnerabilities, but regulations will help prevent some of these cyber weapons from being misused or falling into the wrong hands.

  Read Less
September 15, 2021
Matt Aldridge
Principal Solutions Architect
Webroot

Although interesting, this vulnerability and resultant patch are not greatly surprising. All software has flaws, and although there are many great security researchers who find and responsibly disclose such vulnerabilities, there will always be others who sell zero-day exploits to the highest bidder or those whose job it is to collect such vulnerabilities for future exploitation; by their nation-state paymasters.

The value of zero-day exploits against a mass-market device such as the iPhone is

.....Read More

Although interesting, this vulnerability and resultant patch are not greatly surprising. All software has flaws, and although there are many great security researchers who find and responsibly disclose such vulnerabilities, there will always be others who sell zero-day exploits to the highest bidder or those whose job it is to collect such vulnerabilities for future exploitation; by their nation-state paymasters.

The value of zero-day exploits against a mass-market device such as the iPhone is huge, and for this reason, such attack tools are used very carefully against high-value targets or to achieve particularly important goals for the nation-state or organised crime syndicate behind their use. In many cases, the use of these tools will never be discovered, so the success here of Citizen Lab is to be congratulated.

Most users do not need to concern themselves with such highly targeted attacks, but of course, they should keep their devices patched against newly discovered vulnerabilities. Once out in the open, these vulnerabilities can be exploited en masse by far less sophisticated attackers such as ransomware or other extortion groups. Such attacks also highlight the value of having 3rd party security tools operating in addition to the standard security tooling of the operating systems in use, as these give a vital second layer which greatly improves the chance or prevention or at least detection of attacks.

  Read Less
September 14, 2021
Jake Moore
Cybersecurity Specialist
ESET

iPhones are constantly targeted in experimental, laboratory condition attacks and with enough money and time behind each attempt, it’s then a race against time for Apple to patch before the flaw is properly exploited. These rare but powerful hacks can be extremely intrusive and those targeted will be left with little they can do to stop them.

The importance of regularly updating devices has never been more greater, and each update must be taken seriously even if more than one has been pushed

.....Read More

iPhones are constantly targeted in experimental, laboratory condition attacks and with enough money and time behind each attempt, it’s then a race against time for Apple to patch before the flaw is properly exploited. These rare but powerful hacks can be extremely intrusive and those targeted will be left with little they can do to stop them.

The importance of regularly updating devices has never been more greater, and each update must be taken seriously even if more than one has been pushed out in quick succession. These updates usually patch far more serious bugs than Apple make out.

 

  Read Less
September 14, 2021
Sam Curry
Chief Security Officer
Cybereason

Monday’s emergency software updates for a critical vulnerability discovered in iPhones, Apple Watches and Macs, shouldn't be cause for panic. Yes, this newest Pegasus spyware delivery mechanism is novel, invasive and can easily infect billions of Apple devices, but stay calm and simply get control of your device and download the software updates available from Apple. Do that and move on. Follow Apple's instructions if you think you are infected and consult your IT department at work, school,

.....Read More

Monday’s emergency software updates for a critical vulnerability discovered in iPhones, Apple Watches and Macs, shouldn't be cause for panic. Yes, this newest Pegasus spyware delivery mechanism is novel, invasive and can easily infect billions of Apple devices, but stay calm and simply get control of your device and download the software updates available from Apple. Do that and move on. Follow Apple's instructions if you think you are infected and consult your IT department at work, school, etc. Failing that, Apple’s Genius Bar will be able to help. With nearly 2 billion iPhone active around the world, 100 million Apple Watches being used and more than 100 million Macs, security can’t be a luxury for Apple and it’s not, it’s a responsibility they take seriously.

This type of software is generally a scourge. This specific package has been known a while. What's novel is the subtle installation. These have happened in the past and should be a top priority to identify and fix for any vendor. Relating to Apple security, failing is OK. Failing consistently is not. Let's see how Apple addresses this. They are a generally more secure platform, but they must continue to invest and demonstrate commitment going forward. The most secure platform in the world can be cracked given time unless the security is maintained. An incident or two are not a cause for pitchforks and torches to come out. That comes later if things recur or are dealt with in a cavalier manner.

  Read Less
September 14, 2021
Tim Mackey
Principal Security Strategist, Synopsys CyRC (Cybersecurity Research Center)
Synopsys

Zero-click software or apps should be a high concern for any mobile device user. This class of software doesn’t require any interaction by the user, so no explicit download and no explicit consent is granted. While there are legitimate uses for this class of software, the secretive nature of the installation makes it particularly appealing to malicious or criminal groups. The only real path for end users to defend against such software is to keep on top of all operating system updates, vendor

.....Read More

Zero-click software or apps should be a high concern for any mobile device user. This class of software doesn’t require any interaction by the user, so no explicit download and no explicit consent is granted. While there are legitimate uses for this class of software, the secretive nature of the installation makes it particularly appealing to malicious or criminal groups. The only real path for end users to defend against such software is to keep on top of all operating system updates, vendor updates, and maintain an up to date anti-malware solution.

  Read Less
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.