Apple has released a suite of new updates for iOS, macOS, and watchOS to fix a bug that security researchers at Citizen Lab say was very likely exploited to allow government agencies to install spyware into the phones of journalists, lawyers, and activists. The researchers say the bug allowed for a “zero-click” install (meaning the target didn’t have to do anything to be infected) of the Pegasus spyware, which is reportedly capable of stealing data, passwords, and activating a phone’s microphone or camera. You can read our explainer of Pegusus here for more details.
Given the severity of the exploit, you should update to iOS 14.8, macOS Big Sur 11.6, and watchOS 7.6.2 as soon as you can.
Apple’s update page says it’s “aware of a report that this issue may have been actively exploited.”
We heard about the exploit in August, when Citizen Lab reported that it had been successfully used against phones running iOS 14.6 (released in May). Citizen Lab also said the vulnerability, which it codenamed “ForcedEntry,” seemed to match the behavior of an exploit Amnesty International wrote about in July. At the time, the security researchers wrote that it was made possible by a bug in Apple’s CoreGraphics system, and happened when the phone tried to use a function related to GIFs, after it received a text message containing a malicious file.
However, even with that info, it could be difficult to pin down exactly what was happening without access to the infected files themselves. According to Citizen Lab, they discovered files while re-analyzing a backup from an activist’s hacked phone. The files appeared to be GIFs sent as SMS attachments, but were actually PSDs and PDFs. (Apple’s update notes say that the issue occurred when processing a maliciously crafted PDF.) Citizen Lab suspected they could’ve been related to Pegasus, so it sent the files to Apple on September 7th. Apple quickly released the software updates patching the bug on September 13th, and thanked Citizen Lab in a statement for “completing the very difficult work of obtaining a sample of this exploit.”
iOS 14.8 is seemingly only focused on security
Some of Monday’s updates also fix a second security issue with WebKit for iOS and macOS Big Sur (it isn’t mentioned in the release notes for Catalina). While it’s unclear if it’s related to NSO’s exploits — its discovery is attributed to “an anonymous researcher” instead of Citizen Lab, and it’s in a different part of the system — Apple still says that it “may have been actively exploited.”
Such an urgent security issue explains why we’re seeing a new update to iOS just a day before an Apple event, where it’s expected to announced new phones that will probably never run this version of the OS. Still, there have been rumors about an iOS 14.8 release since early August, but given that Monday’s release seems to only deal with the security issues discovered in September, it’s possible we’ll see at least one more iOS 14 release.
Keep your devices up-to-date
CoreGraphics’ PDF rendering seems to have been problematic recently when it comes to security. iOS 14.7 also included a fix for a seemingly separate issue with the system, which could also lead to arbitrary code execution. WebKit has also recently had a few updates to fix security issues that Apple says “may have been actively exploited.” When news of the CoreGraphics exploit broke in August, Apple told TechCrunch it was working on improving security for iOS 15.
All of this serves as a reminder about how important it is to keep all your devices up-to-date. While you hopefully never find yourself on the bad side of a government using advanced spyware, it’s still a good idea to make sure that your device isn’t vulnerable to widely-reported security exploits. Thankfully, Apple is planning on letting users install security updates for iOS 14 without having to upgrade to iOS 15, which could be useful for any future fixes. For the time being, though, get all your devices updated as soon as you can.
Update September 13th, 7:10PM ET: Added quote from Apple’s statement thanking Citizen Lab.