The discovery means that more than 1.65 billion Apple products in use worldwide have been vulnerable to NSO’s spyware since at least March. “This spyware can do everything an iPhone user can do on their device and more,” said John Scott-Railton, a senior researcher at Citizen Lab, who teamed up with Bill Marczak, a senior research fellow at Citizen Lab, on the finding. Using the zero-click infection method, Pegasus can turn on a user’s camera and microphone, record messages, texts, emails, calls, even those sent via encrypted messaging and phone apps like Signal, and send them back to NSO’s clients at governments around the world. Known as a “zero click remote exploit,” it is considered the holy grail of surveillance because it allows governments, mercenaries and criminals to secretly break into someone’s device without tipping the victim off. The spyware, called Pegasus, used a novel method to invisibly infect Apple devices without victims’ knowledge. One advantage Apple has is longer update support-avoiding zero-day exploits in the first place is ideal, but at least Apple can roll out updates promptly, even to older devices.Apple issued emergency software updates for a critical vulnerability in its products on Monday after security researchers uncovered a flaw that allows highly invasive spyware from Israel's NSO Group to infect anyone's iPhone, iPad, Apple Watch or Mac computer without so much as a click.Īpple’s security team had worked around the clock to develop a fix since Tuesday, after researchers at Citizen Lab, a cybersecurity watchdog organisation at the University of Toronto, discovered that a Saudi activist’s iPhone had been infected with an advanced form of spyware from NSO. Apple still sees its fair share of exploitable bugs, even in its silicon. We might hear about more Android vulnerabilities, but that's because Android is an open-source platform. These flaws are the sixth and seventh zero-days patched by Apple so far this year. That means simply visiting a malicious website on an unpatched device could be enough to get you in trouble.Īpple says these flaws are being actively exploited and were reported by anonymous security researchers. This bug could also allow arbitrary code execution, and while the WebKit engine doesn't have the pervasive system access of the kernel, it is a web component. So, even third-party browsers like Chrome and Firefox offer no reprieve. Coincidentally, that's the only engine Apple allows on the iPhone. This too is an out-of-bounds write vulnerability, but it's a flaw in the WebKit browser engine at the heart of Apple's Safari browser. The second vulnerability is CVE-2022-32893. A vulnerability here allows malware to execute code with the same high privilege level to completely take over the device. It's an out-of-bounds write vulnerability in the operating system kernel, a low-level framework that has access to all parts of the system. The first flaw is tracked as CVE-2022-32894. You can see the update notice for iPhone below. Even Apple's recently discontinued 7th gen iPod Touch gets in on the fun. However, all iPhone models from the 6s onward are affected, as are all models of the iPad Pro, as well as the iPad Air 2, the 5th Gen iPad, the iPad Mini 4, and all later models in these lines. If you're on an older version of macOS, you are not vulnerable to this particular issue. The updates address the same pair of vulnerabilities on both mobile and desktop platforms. The update addresses a pair of zero-day vulnerabilities in Apple's software, meaning they are already being used in the wild to exploit devices.Īpple macOS Monterey has been updated to v12.5.1, and iOS is now on v15.6.1. Apple has announced an emergency patch for iPhones, iPads, and macOS computers, an increasingly common event. Anyone with an iPhone in their pocket or a Mac on their desk should be hitting that update button today.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |