Apple Issues Emergency Security Updates to Close a Spyware Flaw

Mr. Marczak said he found that the Saudi activist, who declined to be identified, had received an image. That image, which was invisible to the user, exploited a vulnerability in the way that Apple processes images and allowed the Pegasus spyware to be quietly downloaded onto Apple devices. With the victim none the wiser, his or her most sensitive communications, data and passwords were siphoned off to servers at intelligence and law-enforcement agencies around the globe.

Citizen Lab said the scale and scope of the operation was unclear. Mr. Marczak said, based on the timing of his discovery of Pegasus on the Saudi activist’s iPhone and other iPhones in March, it was safe to say the spyware had been siphoning data from Apple devices for at least six months.

The zero-click exploit, which Citizen Lab dubbed “Forcedentry,” was among the most sophisticated exploits discovered by forensics researchers. In 2019, researchers uncovered that a similar NSO zero-click exploit had been deployed against 1,400 users of WhatsApp, the Facebook messaging service. Last year, Citizen Lab found a digital trail suggesting NSO may have a zero-click exploit to read Apple iMessages, but researchers never discovered the full exploit.

NSO was long suspected of having a zero-click capability. A 2015 hack of one of NSO’s chief competitors, Hacking Team, a Milan-based spyware outfit, revealed emails showing Hacking Team executives scrambling to match a remote, zero-click exploit that its customers claimed NSO had developed. That same year, a Times reporter obtained NSO marketing materials for prospective new clients that mentioned a remote, zero-click capability.

Proof of the capability never turned up.

“Today was the proof,” Mr. Marczak said.

Forcedentry was the first time that researchers successfully recovered a full, zero-click exploit on the phones of activists and dissidents. When such discoveries are revealed, governments and cybercriminals typically try to exploit vulnerable systems before users have a chance to patch them, making timely patching critical.

Mr. Scott-Railton urged Apple customers to run their software updates immediately.

“Do you own an Apple product? Update it today,” he said.

Source link


Subscribe and support independent journalism

With fewer people visiting branches, opting to seek services...

Polri Tahan Kasat Resnarkoba Polres Karawang AKP Edi Nurdin di Rutan Bareskrim –

Laporan Wartawan, Igman Ibrahim TRIBUNNEWS.COM, JAKARTA - Direktorat Tindak...

Sajid Javid Defends Liz Truss After She Said British Workers ‘Need More Graft’

A Liz Truss supporter has said British workers are...

Biden Signs Climate, Health Bill Into Law as Other Economic Goals Remain

WASHINGTON — President Biden signed into law a landmark tax, health and energy bill on Tuesday that takes significant steps toward fulfilling his goal...

Biden Signs Expansive Health, Climate and Tax Law

WASHINGTON — President Biden on Tuesday signed a long-awaited bill meant to reduce health costs, reduce greenhouse gas emissions and raise taxes on corporations...

Education Department wipes out $4 billion in ITT Tech student loans.

The Education Department sent a claim this week to DeVry University, once one of the nation’s largest for-profit college chains, seeking $24 million to...