Apple's iOS 14.8 Pegasus security fix: All iPhone users urged to update immediately

Technology

CNET 14 September, 2021 - 09:26am 39 views

Go Update Your iPhone, iPad, Mac, and Apple Watch Right Now

The Mercury News 13 September, 2021 - 03:29pm

Are you, personally, likely to be targeted by shadowy hackers-for-hire? Probably not. But that doesn’t mean there’s a good reason to leave your Apple devices vulnerable.

To ensure your devices receive the update, check that you’re using iOS 14.8, iPad OS 14.8, watchOS 7.6.2, macOS Big Sur 11.6, and security update 2021-005 for macOS Catalina. According to Apple, compatible iOS and iPad OS devices include: “iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation).”

The zero-day exploit was uncovered by security researchers at the University of Toronto’s Citizen Lab, who put out a report detailing the exploit earlier today. In Apple’s terminology, the update is known as CVE-2021-30860, and it credits Citizen Lab for finding the vulnerability.

Citizen Lab researchers say they stumbled on the flaw when looking into a Pegasus-infected phone that belonged to a Saudi activist, and found that NSO Group had likely exploited a so-called “zero-click” vulnerability in iMessage to get Pegasus onto the device. Unlike most low-level malware, these kinds of exploits require zero input on the user’s part—all NSO needed to do to break into this activist’s device was send over an invisible, malware-laden iMessage without their knowledge, according to the researchers. Past Citizen Lab reports have detailed NSO’s zero-click attacks on other devices, noting that in many cases, those harboring an infected device “may not notice anything suspicious” is actually happening.

Apple patches an NSO zero-day flaw affecting all devices

Yahoo Finance 13 September, 2021 - 02:15pm

The technology giant said iOS 14.8 for iPhones and iPads, as well as new updates for Apple Watch and macOS, will fix at least one vulnerability that it said "may have been actively exploited."

Citizen Lab said it has now discovered new artifacts of the ForcedEntry vulnerability, details it first revealed in August as part of an investigation into the use of a zero-day vulnerability that was used to silently hack into iPhones belonging to at least one Bahraini activist.

Last month, Citizen Lab said the zero-day flaw — named as such since it gives companies zero days to roll out a fix — took advantage of a flaw in Apple’s iMessage, which was exploited to push the Pegasus spyware, developed by Israeli firm NSO Group, to the activist’s phone.

Pegasus gives its government customers near-complete access to a target’s device, including their personal data, photos, messages and location.

The breach was significant because the flaws exploited the latest iPhone software at the time, both iOS 14.4 and later iOS 14.6, which Apple released in May. But also the exploit broke through new iPhone defenses that Apple had baked into iOS 14, dubbed BlastDoor, which were supposed to prevent silent attacks by filtering potentially malicious code. Citizen Lab calls this particular exploit ForcedEntry for its ability to skirt Apple's BlastDoor protections.

In its latest findings, Citizen Lab said it found evidence of the ForcedEntry exploit on the iPhone of a Saudi activist, running at the time the latest version of iOS. The researchers said the exploit takes advantage of a weakness in how Apple devices render images on the display.

Citizen Lab now says that the same ForcedEntry exploit works on all Apple devices running, until today, the latest software.

Citizen Lab said it reported its findings to Apple on September 7. Apple pushed out the updates for the vulnerability, known officially as CVE-2021-30860. Citizen Lab said it attributes the ForcedEntry exploit to NSO Group with high confidence, citing evidence it has seen that it has not previously published.

John Scott-Railton, a researcher at Citizen Lab, told TechCrunch that messaging apps, like iMessage, are increasingly a target of nation states hacking operations and this latest find underlines the challenges in securing them.

In a brief statement, Apple's head of security engineering and architecture Ivan Krstić confirmed the fix.

"After identifying the vulnerability used by this exploit for iMessage, Apple rapidly developed and deployed a fix in iOS 14.8 to protect our users. We’d like to commend Citizen Lab for successfully completing the very difficult work of obtaining a sample of this exploit so we could develop this fix quickly. Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals. While that means they are not a threat to the overwhelming majority of our users, we continue to work tirelessly to defend all our customers, and we are constantly adding new protections for their devices and data," said Krstić.

NSO Group declined to answer our specific questions.

The former president spoke about the late-night host... but Kimmel says he got some key details very, very wrong.

Jon Gruden wanted to kick a field goal on second down in OT, but he had a problem.

Amy Piccioni is not a doctor or a scientist, but as word of breakthrough coronavirus infections in vaccinated people started spreading this summer, she waded through an array of technical and often contradictory information about the need for coronavirus booster shots. Then she decided for herself: She would not wait for federal regulators to clear them before finding one. “It takes a long time for scientists to admit that some people need a booster,” said Piccioni, 55, who received the one-dose

Pumpkin spice season has barely begun, but Hershey's is already thinking ahead to Christmas.

WASHINGTON (Reuters) -U.S. Senator Elizabeth Warren on Tuesday called on the Federal Reserve to break apart Wells Fargo & Co, arguing the latest fine against the bank shows it to be an "irredeemable repeat offender." In a letter sent to the Fed, Warren urged the central bank to revoke Wells Fargo's status as a financial holding company and order it to sell off its investment banking and nonbanking activities, citing the bank's years-long struggle to address regulatory shortcomings. The bank has paid over $5 billion in fines and has been placed under an unprecedented asset cap by the Fed for selling potentially millions of fake accounts to customers, among other issues, in a series of longrunning scandals https://www.reuters.com/article/us-wells-fargo-scandal-deal/wells-fargo-to-pay-3-billion-to-u-s-admits-pressuring-workers-in-fake-accounts-scandal-idUSKBN20F2KN that led to the ousters of two separate chief executives.

The youngest son of Osama bin Laden said he is ashamed and horrified by his father's actions on Sept. 11, 2001.

Megan always brings it!View Entire Post ›

Hospitals in the southern United States are running dangerously low on space in intensive care units, as the delta variant has led to spikes in coronavirus cases not seen since last year’s deadly winter wave. One in four hospitals now reports more than 95% of ICU beds occupied — up from 1 in 5 last month. Experts say it can become difficult to maintain standards of care for the sickest patients in hospitals where all or nearly all ICU beds are occupied. In June, when COVID-19 cases were at their

The decision is affecting her friendships.

Bob Enyart, recalled by his co-host as ‘the wisest person I’ve known’, also reportedly mocked people who died of Aids The death of Bob Enyart, who was also a pastor at Denver Bible church, was announced two weeks after he had reportedly been taken to hospital. Photograph: aleksandr Lychagin/Alamy Bob Enyart, a rightwing talk radio host in Colorado who urged people to boycott vaccines for Covid-19, has died of Covid-19. Enyart’s death was reported two weeks after the Denver Bible church said he a

Sharon Osbourne says Sara Gilbert suggested she try ketamine treatments to deal with trauma from "The Talk."

Apple will officially reveal the iPhone 13 on Tuesday, September 14th during its latest livestreamed event. Unlike last year, Apple is prepared to launch its latest flagship phone on time this year, despite the ongoing chip shortage. Of course, as has been the case for every recent iPhone launch, Apple has struggled to keep any … The post Apple’s iPhone 13 launches tomorrow, but you can see it right now in this stunning video appeared first on BGR.

Pat Sajak, who is now a consulting producer on the show as well the host, had a hand in tweaking some of the gameplay elements for this new season.

Investors have regained their composure over a court ruling that requires Apple to let developers offer alternatives other than the App Store for making in-app purchases.

'There’s nothing worse than telling a young lady with severe, life-threatening anorexia I cannot buy her food.'

There are bad throws, then there's this.

A trust fund that serves as a backstop for the nation's largest social safety net program is on track to run out of money in 12 years.

LG has unveiled a Direct View LED Extreme Home Cinema TV that can scale up to 325 inches

Fox Corp.’s entertainment division has closed its acquisition of TMZ from WarnerMedia, confirming that founder and managing editor Harvey Levin will continue with the newly situated company. Terms were not disclosed, but the deal is believed to be worth less than $50 million. Reports earlier this year in several press outlets indicated a price more […]

Technology Stories