Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Privacy IOS Security

Apple Fixes Zero-Day Bugs Used To Plant Pegasus Spyware (techcrunch.com) 20

An anonymous reader quotes a report from TechCrunch: Apple released security updates on Thursday that patch two zero-day exploits -- meaning hacking techniques that were unknown at the time Apple found out about them -- used against a member of a civil society organization in Washington, D.C., according to the researchers who found the vulnerabilities. Citizen Lab, an internet watchdog group that investigates government malware, published a short blog post explaining that last week they found a zero-click vulnerability -- meaning that the hackers' target doesn't have to tap or click anything, such as an attachment -- used to target victims with malware.

The researchers said the vulnerability was used as part of an exploit chain designed to deliver NSO Group's malware, known as Pegasus. "The exploit chain was capable of compromising iPhones running the latest version of iOS (16.6) without any interaction from the victim," Citizen Lab wrote. Once they found the vulnerability, the researchers reported it to Apple, which released a patch on Thursday, thanking Citizen Lab for reporting them. Based on what Citizen Lab wrote in the blog post, and the fact that Apple also patched another vulnerability and attributed its finding to the company itself, it appears Apple may have found the second vulnerability while investigating the first.
Citizen Lab researcher John Scott-Railton says Apple's Lockdown Mode would have blocked the exploits found in this case. Lockdown Mode is an opt-in feature introduced in iOS 16 that gives users the option to temporarily switch off or limit features for security purposes. According to Apple, it "should be used only if you believe you may be targeted by a highly sophisticated cyberattack, such as by a private company developing state-sponsored mercenary spyware."
This discussion has been archived. No new comments can be posted.

Apple Fixes Zero-Day Bugs Used To Plant Pegasus Spyware

Comments Filter:
  • I guess I needed a slashdot chuckle at the end of the week. Thanks for the dup.

  • two zero-day exploits -- meaning hacking techniques that were unknown at the time Apple found out about them

    It makes total sense, that the hacking techniques weren't known, before they were known.

    On the other hand, if Pegasus was exploiting these, clearly *somebody* knew about them.

    • Interesting how these exploits appear. Some of them so arcane nobody in a hundred years would find them on their own.

      Yet these cell phone hacking companies seem to have an endless supply of them so their product always works. Somehow.

  • Surely these aren't zero day any more...
    Also, running an offensive cyber programme makes you tend to think its ok to hold out on vulnerabilities to secure an advantage.
    Really, any kind of offensive cyber capability is to the detriment of EVERYONE.
    Looking at you, five eyes.

  • If Lockdown Mode was able to protect against this, you can bet your left nut that it was another iMessage attack.

    If so also just disabling iMessage would have protected against this (this is not the first time they've used this same hole against iPhones to plant Pegasus). I personally disabled it as soon as I switched to iPhone.

    • Almost all vulnerabilities in ImageIO (which this is yet another example of, most previous exploits from NSO Group to drop Pegasus also used ImageIO) can be triggered by delivering a message to *ANY* messaging app including Signal, WhatsApp, Facebook Messenger, etc. You'd never click on a sketchy attachment from an unknown sender in an email but all of the top messaging apps basically click on sketchy stuff for you automatically in the background without any user interaction, hence a 0-click exploit chain,
  • Did the security OS update for both my personal and work-issued iPhones yesterday.

    Did the update one phone at-a-time. Had to enable wifi on them first, then each took roughly an hour (or a little less) to complete the update.

    Once updated, I switched wifi back off: I just use them for voice and texting.

    • Once updated, I switched wifi back off: I just use them for voice and texting.

      You know that cell phones can access the internet via cellular connections, right?

    • Once the updates were completed, and wifi disabled, then went into Setting's search bar, typed in "lockdown", read the blub supplied, scrolled to the bottom of the text, then enabled Lockdown Mode on all my iPhones.

      The iPhone then reboots, takes just a minute or less.

      So far, so good. For what I use my iPhones for, voice, texting, and as a camera mostly, seem as normal in Lockdown Mode.

      Will keep in LM enabled for now on, if things continue to go well.

In practice, failures in system development, like unemployment in Russia, happens a lot despite official propaganda to the contrary. -- Paul Licker

Working...