Apple Issues Urgent iPhone Software Update To Address Critical Spyware Vulnerability

BACKGROUND:

It has been reported that Apple has updated its software for iPhones to address a critical vulnerability that independent researchers say has been exploited by notorious surveillance software to spy on a Saudi activist. The urgent update that Apple released yesterday plugs a hole in the iMessage software that allowed hackers to infiltrate a user’s phone without the user clicking on any links, according to Citizen Lab. The Saudi activist chose to remain anonymous, Citizen Lab said.

Subscribe
Notify of
guest

6 Expert Comments
Most Voted
Newest Oldest
Inline Feedbacks
View all comments
Matt Aldridge
Matt Aldridge , Principal Solutions Architect
InfoSec Expert
September 15, 2021 1:10 pm

<p>Although interesting, this vulnerability and resultant patch are not greatly surprising. All software has flaws, and although there are many great security researchers who find and responsibly disclose such vulnerabilities, there will always be others who sell zero-day exploits to the highest bidder or those whose job it is to collect such vulnerabilities for future exploitation; by their nation-state paymasters.<u></u><u></u></p>
<p>The value of zero-day exploits against a mass-market device such as the iPhone is huge, and for this reason, such attack tools are used very carefully against high-value targets or to achieve particularly important goals for the nation-state or organised crime syndicate behind their use. In many cases, the use of these tools will never be discovered, so the success here of Citizen Lab is to be congratulated.<u></u><u></u></p>
<p>Most users do not need to concern themselves with such highly targeted attacks, but of course, they should keep their devices patched against newly discovered vulnerabilities. Once out in the open, these vulnerabilities can be exploited en masse by far less sophisticated attackers such as ransomware or other extortion groups. Such attacks also highlight the value of having 3rd party security tools operating in addition to the standard security tooling of the operating systems in use, as these give a vital second layer which greatly improves the chance or prevention or at least detection of attacks.</p>

Last edited 1 year ago by Matt Aldridge
Josh Goldfarb
Josh Goldfarb , Director of Product Management
InfoSec Expert
September 15, 2021 12:28 pm

<p>The \"zero-click\" exploit targeting Apple iPhones marks a very interesting turn for users of technology. Since these particular attacks are generally highly targeted, the risk of infection for most everyday users is quite low. Nevertheless, for users that have been trained on statements like \"don\’t open email attachments from someone you don\’t know\", \"don\’t click on links in text messages from unknown senders\", and others like them, this is something new entirely. When attackers don\’t need us to play along in order to compromise our devices via phishing/vishing/smishing, it opens up a world of possibilities that feels more like sci-fi than real life. It will be interesting to watch how we as a security community adapt and respond to threats like this one in the coming weeks, months, and years.</p>

Last edited 1 year ago by Josh Goldfarb
Jesse Rothstein
Jesse Rothstein , CTO and Co-founder
InfoSec Expert
September 14, 2021 9:48 am

<p>We all carry highly sophisticated personal devices which have profound implications to personal privacy. There are many examples of this such as app data collection––which Apple recently moved to curb with its App Tracking Transparency framework.</p>
<p>Any sufficiently sophisticated system has security vulnerabilities that can be exploited, and mobile phones are no exception. </p>
<p>Pegasus is an example of how unknown vulnerabilities can be exploited to access highly sensitive personal information. The NSO group is an example of how governments can essentially outsource or purchase weaponized cyber capabilities. This is no different than arms dealing in my view––it’s just not regulated that way. Companies are always going to have to patch their vulnerabilities, but regulations will help prevent some of these cyber weapons from being misused or falling into the wrong hands.</p>

Last edited 1 year ago by Jesse Rothstein
Jake Moore
Jake Moore , Cybersecurity Specialist
InfoSec Expert
September 14, 2021 9:41 am

<p>iPhones are constantly targeted in experimental, laboratory condition attacks and with enough money and time behind each attempt, it’s then a race against time for Apple to patch before the flaw is properly exploited. These rare but powerful hacks can be extremely intrusive and those targeted will be left with little they can do to stop them.</p>
<p>The importance of regularly updating devices has never been more greater, and each update must be taken seriously even if more than one has been pushed out in quick succession. These updates usually patch far more serious bugs than Apple make out.</p>
<p> </p>

Last edited 1 year ago by Jake Moore
Sam Curry
Sam Curry , Chief Security Officer
InfoSec Expert
September 14, 2021 9:40 am

<p>Monday’s emergency software updates for a critical vulnerability discovered in iPhones, Apple Watches and Macs, shouldn\’t be cause for panic. Yes, this newest Pegasus spyware delivery mechanism is novel, invasive and can easily infect billions of Apple devices, but stay calm and simply get control of your device and download the software updates available from Apple. Do that and move on. Follow Apple\’s instructions if you think you are infected and consult your IT department at work, school, etc. Failing that, Apple’s Genius Bar will be able to help. With nearly 2 billion iPhone active around the world, 100 million Apple Watches being used and more than 100 million Macs, security can’t be a luxury for Apple and it’s not, it’s a responsibility they take seriously.</p>
<p>This type of software is generally a scourge. This specific package has been known a while. What\’s novel is the subtle installation. These have happened in the past and should be a top priority to identify and fix for any vendor. Relating to Apple security, failing is OK. Failing consistently is not. Let\’s see how Apple addresses this. They are a generally more secure platform, but they must continue to invest and demonstrate commitment going forward. The most secure platform in the world can be cracked given time unless the security is maintained. An incident or two are not a cause for pitchforks and torches to come out. That comes later if things recur or are dealt with in a cavalier manner.</p>

Last edited 1 year ago by Sam Curry
Information Security Buzz
6
0
Would love your thoughts, please comment.x
()
x