Apple today (Sept. 13) released updates for iOS, iPadOS, macOS, watchOS and Safari to fix two zero-day flaws that are actively being exploited by hackers. At least one of the flaws has been used by commercial spyware to break into the phones of political activists in Persian Gulf countries.
You’ll want to update your iDevices to iOS and iPadOS 14.8, macOS Big Sur 11.6, watchOS 7.6.2 and Safari 14.1.2. MacOS 10.15 Catalina gets a security update without a new version number, while the Safari update is for Catalina and its predecessor, macOS 10.14 Mojave.
We know some details about one of the two flaws, catalogued as CVE-2021-30860, which affects the Apple CoreGraphics component on iOS, iPadOS, watchOS, Big Sur and Catalina, but not Safari on its own.
Apple’s security advisories state that because of this vulnerability, “processing a maliciously crafted PDF may lead to arbitrary code execution.” In other words, if you view a booby-trapped PDF, your system can be hacked over the internet.
This flaw was discovered last month by Citizen Lab researchers at the University of Toronto who had examined the iPhones of nine Bahraini dissidents. The researchers called the exploit of the vulnerability “FORCEDENTRY” and said it was used by the Pegasus spyware, commercial spyware developed and distributed by Israel-based NSO Group.
Today, Citizen Lab disclosed that the same exploit was used on an iPhone belonging to a Saudi political activist. The exploit permits takeover of an iPhone if the user opened a message in iMessage.
The other vulnerability, catalogued as CVE-2021-30858, is more mysterious. It is a flaw in WebKit, the Safari rendering engine, and its discovery is credited to “an anonymous researcher.”
Apple states that “processing maliciously crafted web content may lead to arbitrary code execution” — again, nasty web stuff can hack your device.
This flaw affects iOS, iPadOS, Big Sur and Safari, but not watchOS or Catalina. As with the other flaw, Apple says that it is “aware of a report that this issue may have been actively exploited.”
Soon after Apple released the patches, Reuters posted a story about the intelligence services of the United Arab Emirates hacking the iPhones of domestic political activists and foreign diplomats and politicians. It’s not yet clear whether either zero-day flaw patched today is involved.
Apple kicks off its annual fall extravaganza tomorrow (Sept. 14), and it’s likely that the iPhone 13 will be unveiled along with iOS 15.
For all the latest Technology News Click Here
For the latest news and updates, follow us on Google News.