By Davide Scigliuzzo, William Turton and Mark Gurman
Apple has mentioned it patched a safety flaw in its Messages app after security researchers determined that Israel-based NSO Group used it to “exploit and infect” the most recent iPhones and iPads with spyware and adware.
The flaw, disclosed on Monday by Citizen Lab, allowed a hacker utilizing NSO’s Pegasus malware to achieve entry to a tool owned by an unnamed Saudi activist, in keeping with safety researchers. Apple mentioned the flaw could possibly be exploited if a person on a weak machine acquired a “maliciously crafted” PDF file.
The flaw was a “zero-day” vulnerability, a time period that refers to not too long ago found bugs that hackers can exploit and haven’t but been patched. Victims didn’t must click on on the malicious file for it to contaminate their units, one thing referred to as a “zero-click” exploit, in keeping with a report launched by Citizen Lab, a cyber-research unit of the University of Toronto.
“What this highlights is that chat apps are the soft underbelly of device security,” John Scott-Railton, senior researcher at Citizen Lab, mentioned in a textual content message. “They are ubiquitous, which makes them really attractive, so they are an increasingly common target for attackers.
“They need to be a major priority for security,” he added. “Narrowing the attack surface from chat apps will go a long way toward making all of our devices more secure.”
Apple is patching the bug on the iPhone, iPad, Mac and Apple Watch through iOS 14.8, iPadOS 14.8, macOS 11.6 and watchOS 7.6.2 software program updates. The software program releases got here the day earlier than a extremely anticipated Apple product launch event on Wednesday. The firm is anticipated to announce the discharge date for iOS 15, Apple’s subsequent main software program replace, which can comprise further safety protections.
“After identifying the vulnerability used by this exploit for iMessage, Apple rapidly developed and deployed a fix in iOS 14.8 to protect our users,” Ivan Krstić, head of safety engineering and structure at Apple, mentioned in an announcement. “We’d like to commend Citizen Lab for successfully completing the very difficult work of obtaining a sample of this exploit so we could develop this fix quickly.”
Krstić added that assaults like this one are “highly sophisticated, cost millions of dollars to develop, often have a short shelf life and are used to target specific individuals.”
“While that means they are not a threat to the overwhelming majority of our users, we continue to work tirelessly to defend all our customers, and we are constantly adding new protections for their devices and data,” he mentioned.
The NSO Group has been the topic of repeated criticism by Citizen Lab and different organisations after its spyware and adware has been found on the telephones of activists and journalists crucial of repressive regimes. In its report, Citizen Lab accused NSO Group of facilitating “despotism-as-a-service for unaccountable government security agencies” and argued that regulation is “desperately needed.”
NSO Group has insisted that the spyware and adware is meant for use to battle terrorism and crime, to not help in human rights abuses.