Emergency iOS And iPadOS Update Released To Prevent Zero-Click 'Pegasus' Attack

Apple bugs

Hackers and cybersecurity companies are always in cat-and-mouse games in pursuit of defeating the other. At any given time, it's either one or the other.

The Pegasus spyware has been making headlines since it was found that the Israeli company behind it is selling the software to clients that include governments from many parts of the world.

With the spyware, it's reported that the governments can spy on phones used by journalists, as well as politicians and activists, after remotely installing the software on target's phone.

After installing the malware, the people, agency or the organization who installed it will have access to the device, and can see whatever data it holds.

Data that can be siphoned, include text messages, calls, passwords, location, accessing the target device's microphone and camera, and harvesting information from apps.

All that can be done, without having any physical access to the device. Victims don't have to do anything to get their devices infected.

In other words, it's a zero-click.

This is why the spyware is named after the mythical winged-horse Pegasus.

Shalev Hulio, the CEO of the NSO Group, the company that created the Pegasus, once said that NSO's tools were intended to catch serious criminals and terrorists.

But because its clients include people in high places in the many governments around the world, Hulio said that NSO should be granted "sovereign immunity." so it couldn't be sued over the actions of its clients.

That is because according to him, his company couldn't control what governments ultimately did with its tools.

"We are selling our products to governments. We have no way to monitor what those governments do," he said.

He also said that those who aren't criminals or targets of the governments, should have nothing to be afraid of.

"They can absolutely trust on the security and privacy of their Google and Apple devices," Hulio said.

But still, that doesn't make Google and Apple to stay put, whenever they know that NSO's product can exploit their operating systems.

iOS 14.8, iPadOS 14.8

This time, Apple has released iOS 14.8 and iPadOS 14.8. This version of iOS is among a series of emergency security updates released by Apple, after it was said there are flaws that could be exploited by the Pegasus spyware.

In an explanation by Apple in a dedicated support page, the security update is being issued for iPhones and iPads after a "maliciously crafted" PDF or web content could result in them getting hacked.

And iOS 14.8 and iPadOS 14.8, both patch their CoreGraphics and WebKit vulnerabilities, which confirmed Citizen Lab's finding and from an anonymous researcher.

Previously, researchers at the University of Toronto's Citizen Lab said that the security vulnerabilities affected all operating systems under Apple.

The researchers discovered the unwanted code on September 7 and immediately contacted Apple, saying that it was the first time a zero-click exploit had been identified and analyzed.

However, an Apple spokesperson declined to comment whether the vulnerabilities were being exploited by the NSO Group.

"Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals," said Ivan Krsti, head of Apple Security Engineering and Architecture, adding that the vulnerability is "not a threat to the overwhelming majority of our users."

As for NSO, the Israeli company didn't address the allegations, only saying that "NSO Group will continue to provide intelligence and law enforcement agencies around the world with life saving technologies to fight terror and crime."