Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Apple's iOS 14.8 Update Fixes Zero-Click Exploit Used to Distribute Pegasus Spyware

R

Rigby

macrumors 603
Aug 5, 2008
6,231
10,174
San Jose, CA
centauratlas said:
With the number of exploits coming in through iMessage vulnerabilities, it is reminiscent of Flash. Apple may need to refactor the iMessage code base with security in mind from the ground up. I am not sure specifically what Apple is doing from a development side on iOS 15, but it needs work.
Click to expand...
Their "Blastdoor" in iOS 14 is an effort to address this (by sandboxing more parts of the message processing pipeline):

googleprojectzero.blogspot.com

A Look at iMessage in iOS 14

Posted By Samuel Groß, Project Zero On December 20, Citizenlab published “ The Great iPwn ”, detailing how “Journalists [were] Hacked ...
googleprojectzero.blogspot.com googleprojectzero.blogspot.com

Apparently there's still some work to do ...
 
LV426

LV426

macrumors 68000
Jan 22, 2013
1,844
2,277
That Professor was correct. iMessage needs re-writing from the ground up. This conveyor belt of vulnerabilities is reminiscent of Adobe Flash.
 
  • Like
Reactions: VulchR
contacos

contacos

macrumors 601
Nov 11, 2020
4,796
18,549
Mexico City living in Berlin
Blows my mind that a company seems to be so powerful that they can just keep selling this and not even world leaders like the French guy seem to mind. You would think something like that could only be sold illegally via the dark web but nope clearly there is more to that company than meets the eye. Who knows, who’s backing them
 
  • Like
Reactions: BulkSlash and fredrik9
centauratlas

centauratlas

macrumors 68000
Jan 29, 2003
1,826
3,772
Florida
Shirasaki said:
I’d argue we have to assume the software has been installed on every single iOS and Mac device in existence today. Removal Of such software could only be done by Apple. If they decide to not publish that, we may never know. The least this patch can do is blocking the exploit.
Click to expand...
This is a very valid concern.

Another concern is if one group has it, how many others do to? Does anyone really think that all the governments buying this have sufficient security to not allow the software to leak? All it takes is one and it can be reverse engineered by others.

The assumption should be: if any nefarious government has it, they'll install it everywhere in case it is ever needed.
 
  • Like
Reactions: Shirasaki
centauratlas

centauratlas

macrumors 68000
Jan 29, 2003
1,826
3,772
Florida
Rigby said:
Their "Blastdoor" in iOS 14 is an effort to address this (by sandboxing more parts of the message processing pipeline):

googleprojectzero.blogspot.com

A Look at iMessage in iOS 14

Posted By Samuel Groß, Project Zero On December 20, Citizenlab published “ The Great iPwn ”, detailing how “Journalists [were] Hacked ...
googleprojectzero.blogspot.com googleprojectzero.blogspot.com

Apparently there's still some work to do ...
Click to expand...

It is, but there are still (obviously) design flaws inherent in it. It is like designing a new house or bolting every feature on an old one without regard to what the changes will do structurally to the old one.
 
R

Rigby

macrumors 603
Aug 5, 2008
6,231
10,174
San Jose, CA
contacos said:
Blows my mind that a company seems to be so powerful that they can just keep selling this and not even world leaders like the French guy seem to mind.
Click to expand...
I wouldn't be surprised if France was actually one of their customers. Germany just admitted to it too ...
 
R

Rigby

macrumors 603
Aug 5, 2008
6,231
10,174
San Jose, CA
Shirasaki said:
I’d argue we have to assume the software has been installed on every single iOS and Mac device in existence today.
Click to expand...
I doubt that very much. Zero-click exploits are worth millions. They'd only want to use it on high-value targets to make it less likely that it's discovered and patched.

The good news is that there will be some long faces at NSO today, seeing that their expensive exploit just went "poof".
 
Last edited:
  • Like
Reactions: Duane Martin and fredrik9
hagjohn

hagjohn

macrumors 68000
Aug 27, 2006
1,749
3,511
Pennsylvania
Rigby said:
Google, Microsoft and some other tech companies have joined Facebook's pending lawsuit over NSO's Whatsapp breach. Why Apple isn't joining in I don't know. They'd certainly have standing after the recent news ...

www.theverge.com

Microsoft and Google join Facebook’s legal fight against infamous spyware vendor

NSO Group argues it should benefit from sovereign immunity.
www.theverge.com www.theverge.com
Click to expand...
The US should threaten to block all US tech from Israel if the Israeli gov't doesn't put a stop to this immediately. This is way over the top and it needs to stop.
 
  • Haha
Reactions: freedomlinux
W

wirtandi

macrumors regular
Feb 3, 2021
179
179
Simple question that I have been wondering. There is a security flaw that has been patched in 14.8. From my understanding, a PDF download is what triggers this exploit. In this case, since I have not downloaded and opened a PDF file from a dodgy website, how urgent do I need to download this update?

Im just confused because I have only been using my phone to visit social media, firefox, and a few trusted apps, and nothing else.
 
S

Schtibbie

macrumors 6502
Jan 13, 2007
429
170
wirtandi said:
Question, how urgent do I need to download this update? From my understanding, a PDF download is what triggers this exploit? So if I have not downloaded and opened a PDF file from a dodgy website, I should be fine, is that how it works?

Im just confused because I have only been using my phone to visit social media, firefox, and a few trusted apps, and nothing else.
Click to expand...
So much wrong with this but here goes:
1: you aren’t a security expert, so rather than try to analyze whether your usage makes you vulnerable, just update your OS. If I had a dollar for every time a non-IT-expert family member of mine told me about (just an example) a Microsoft patch they declined back in the old days because “I’m pretty sure I don’t do XML stuff so I don’t need this patch!” I’d be rich.

2: Firefox is a browser, so: big app pointed at the internet. You don’t know what happens on every page / ad / frame you visit.
 
  • Disagree
Reactions: BulkSlash
E

ender78

macrumors 6502a
Jan 9, 2005
602
353
hagjohn said:
The US should threaten to block all US tech from Israel if the Israeli gov't doesn't put a stop to this immediately. This is way over the top and it needs to stop.
Click to expand...

Tell that to the US police forces that are using this software to break into the phones of suspects. NSO Group is a private company. Certain Apple Hardware/Software teams are based in Isreal. Try again. There is nothing illegal about what NSO Group is doing. At least not with today's laws.
 
  • Like
  • Wow
Reactions: Yammabot, skabichevsky and Makanmata
Shirasaki

Shirasaki

macrumors P6
May 16, 2015
15,747
11,100
hagjohn said:
Time to stop adding features and work only on completely shutting down NSO (and others) ability to hack into Apple OS's.
Click to expand...
but but… our software would no longer include features that can wow people and our marketing department would need to be axed. :rolleyes: And shareholders wouldn’t be happy. :confused:
 
Shirasaki

Shirasaki

macrumors P6
May 16, 2015
15,747
11,100
Just because you don’t deal with PDF today, doesn’t mean another exploit will not hurt you next time.
Also, no need to open a new thread for the same topic.
 
Last edited:
R

Rigby

macrumors 603
Aug 5, 2008
6,231
10,174
San Jose, CA
ender78 said:
Tell that to the US police forces that are using this software to break into the phones of suspects.
Click to expand...
Do you have sources that any US police forces are NSO customers? First I hear about it.
ender78 said:
There is nothing illegal about what NSO Group is doing. At least not with today's laws.
Click to expand...
That is debatable. We'll see what happens when Facebook's lawsuit starts. For example, in the US unauthorized access to devices is illegal under the Computer Fraud and Abuse Act (which may be why they claim that their software cannot be used in the US). Other countries may have similar laws.
 
  • Like
Reactions: VulchR
Shirasaki

Shirasaki

macrumors P6
May 16, 2015
15,747
11,100
nwcs said:
Maybe it is time to replace the pdf standard with a new standard that doesn’t allow for as many holes as the postscript language seems to allow.
Click to expand...
And there will be another set of exploits waiting to be discovered for that new standard, could be even more damaging and more widespread. We never know.
Rigby said:
I doubt that very much. Zero-click exploits are worth millions. They'd only want to use it on high-value targets to make it less likely that it's discovered and patched.

The good news is that there will be some long faces at NSO today, seeing that their expensive exploit just went "poof".
Click to expand...
Software duplication cost is so low, and iOS security is so “high”, average people would never realise their iOS has already been jailbroken regardless. Just that they won’t be used to install Cydia. While it is true that they will be prioritised on high value targets, governments are more than happy to deal with a system full of exploits than a system that is less exploitable.
 
hagjohn

hagjohn

macrumors 68000
Aug 27, 2006
1,749
3,511
Pennsylvania
Shirasaki said:
but but… our software would no longer include features that can wow people and our marketing department would need to be axed. :rolleyes: And shareholders wouldn’t be happy. :confused:
Click to expand...
They need to fix security holes in iOS 15. Do you want a phone with more emoticons, new icons and such or do you want a phone that is secure?
 
G

gilby101

macrumors 68030
Mar 17, 2010
2,596
1,395
Tasmania
wirtandi said:
social media, firefox, and a few trusted apps
Click to expand...
That's all you need. It is not trust in the apps which is required. Rather trust in the content you may download (possibly in the background).

Having said that, if you are not a journalist and not an activist (or have contact with one of them on social media) then you are unlikely to be targeted by the Pegasus exploit.
 
Shirasaki

Shirasaki

macrumors P6
May 16, 2015
15,747
11,100
hagjohn said:
They need to fix security holes in iOS 15. Do you want a phone with more emoticons, new icons and such or do you want a phone that is secure?
Click to expand...
Don’t ask me. Ask random teenagers on the street what they want.
I want a more secure device but I am only one guy.
 
  • Like
Reactions: VulchR and Morod
Localcelebrity

Localcelebrity

macrumors regular
Feb 10, 2004
163
311
Chicago, IL
ender78 said:
Tell that to the US police forces that are using this software to break into the phones of suspects. NSO Group is a private company. Certain Apple Hardware/Software teams are based in Isreal. Try again. There is nothing illegal about what NSO Group is doing. At least not with today's laws.
Click to expand...
You know that Apple has offices in Israel right?
 
Bawstun

Bawstun

Suspended
Jun 25, 2009
2,374
2,999
I keep getting stuck at preparing update, about 3/4 the way through. Any suggestions?
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom