Apple's iOS 14.8 Update Fixes Zero-Click Exploit Used to Distribute Pegasus Spyware

[M3gatron]

At least these nasties get patched on *every* supported iOS device on day one.

Android users, good luck.

Android has evolved quite a lot in terms of security, the pegasus spyware was quite a bit harder to implement on Android devices.
Also an exploit using Android's image rendering library can be patched directly by Google using Play Services System Updates not to mention most system apps can be updated separately directly by Google or the OEM if there's a vulnerability.

 

[LV426]

Shame on Apple for employing people who created software code that would allow such a profound exploit to occur in the first place. Makes me wonder if there may be some double agents within Apple’s software team.

In defence of Apple, many of the recently uncovered exploits rely on flaws that are deep down in the OS and hard to spot. That's why hackers spend millions on trying to find them.

Apple, like most software vendors, stand on the shoulders of giants and use / modify / extend publicly available code libraries. In an ideal world, Apple would design / code / assess every line of code they use, but we don't live in an ideal world. Some little nasty hidden away in a document parser or graphics library will always be there waiting to trip you up, until someone spots it and/or starts making use of it.

 

[PinkyMacGodess]

everything is a play at this point. 100%. It’s time we realize.

I'm a cynic, and that's a little too cynical for me. *shrug* But, yeah, we are the product, we are the target, we are the victim of capitalism.

 

[polyphenol]

Android has evolved quite a lot in terms of security, the pegasus spyware was quite a bit harder to implement on Android devices.
Also an exploit using Android's image rendering library can be patched directly by Google using Play Services System Updates not to mention most system apps can be updated separately directly by Google or the OEM if there's a vulnerability.

Let me ask:

As of today, are there more Android or IOS phones (and pads, if you like) susceptible to Pegasus?

Answer as absolute numbers, percentage of the device populations, or any other reasonable way of considering how to evaluate "more".

(And if not literally "today", let's allow a week or two for the latest Apple and Android updates to reach the devices.)

 

[aliensporebomb]

Question: for those who received this update does your phone say 14.7 or 14.8?
Somehow my phone got set to "automatically update" (I don't remember doing this) and there are no updates to get.
It claims it is current, 14.7.
Does anyones phones indicate 14.8?
I did notice I'm still running the beta profile from prior to 14.7 which I've removed, maybe that will help.
Update: that's it. Remove the beta profile and update.
Anyone who had the beta profile for getting the 14.5/6 updates needs to remove it for it to show.

 

[polyphenol]

Question: for those who received this update does your phone say 14.7 or 14.8?
Somehow my phone got set to "automatically update" (I don't remember doing this) and there are no updates to get.
It claims it is current, 14.7.
Does anyones phones indicate 14.8?

Certainly does say 14.8.

And before that it said 14.7.1

You haven't even got that update.

 

[VulchR]

Why Apple, Google, and Microsoft don't sue such companies and run their resources to the ground?

The corollary of that is why don't governments shut shady hacker organisations down? Oh wait.

Anyway I 'd just like to add my two cents: shouldn't there be some automated way of checking for these exploits rather than playing this arms race with hackers? Second, isn't it about time to build processes that can't have unwanted code injected like this?

 

[LV426]

The corollary of that is why don't governments shut shady hacker organisations down? Oh wait.

Anyway I 'd just like to add my two cents: shouldn't there be some automated way of checking for these exploits rather than playing this arms race with hackers? Second, isn't it about time to build processes that can't have unwanted code injected like this?

1. There are more ways that software can go wrong than there are atoms in the universe, so it's not possible to test every possible use case completely.

2. Flawless complex code is extremely hard to write.

 

[M3gatron]

Let me ask:

As of today, are there more Android or IOS phones (and pads, if you like) susceptible to Pegasus?

Answer as absolute numbers, percentage of the device populations, or any other reasonable way of considering how to evaluate "more".

(And if not literally "today", let's allow a week or two for the latest Apple and Android updates to reach the devices.)

Well taking in consideration that iOS 12 hasn't been patched even as of today more iOS devices are susceptible to this malware.
The idea is that right from the start Android was a way more difficult target and Google only found three dozens comprised Android phones since 2014 until now, the malware was considerably more successful on iOS. Anyway it looks like Google Play Protect can detect Pegasus so it would be hard to say how many Android phone would currently be vulnerable to it.

 

[Mercury7]

so Where is a good place to go and see any analysis of the code put out in these updates…. Kinda don’t have trust to just blindly download from Apple anymore

 

[audiophilosophy]

In defence of Apple, many of the recently uncovered exploits rely on flaws that are deep down in the OS and hard to spot. That's why hackers spend millions on trying to find them.

Apple, like most software vendors, stand on the shoulders of giants and use / modify / extend publicly available code libraries. In an ideal world, Apple would design / code / assess every line of code they use, but we don't live in an ideal world. Some little nasty hidden away in a document parser or graphics library will always be there waiting to trip you up, until someone spots it and/or starts making use of it.

Yeah, it made sense pre-2010ish (before Apple was a huge HUGE company) that they used UNIX core and stuff that already existed. However, they have the money and resources for a long time now to either start all over from the ground up or to find stuff like this themselves before hackers do and exploit it. A perfect time to have written everything over from the ground up would have been when they were moving all devices to APFS. It’s just absolutely inexcusable considering how much money Apple has, how many users and devices there are out there, and how much time they have had the capability to make sure things like this don’t happen. Apple can market themselves as ensuring customer privacy and safety from malware, but now I see that it’s all just empty promises.

 

[PinkyMacGodess]

Why didn’t Apple specifically state what does iOS 14.8 security update actually entails that’s the part that I have a gripe with,

I'm not surprised. Some fixes are rather detailed in what was fixed, and others are more nebulous. I think the later is a defensive mechanism to not draw too much attention to an area that might be harder to fix, or believed to be suspect, or sensitive. Just a guess. But how much information does a 'normal person' have to know? I updated the wife's Apple goodies while she was away from them sitting charging. I mentioned, after I saw her in the room with them that I had updated them. Did she ask why? Did she ask what it fixed? Nope, and I doubt she will ever care. It has to be so great to be so blissfully unaware of the threats that are around us all. Some can ignore them, and some can't. I seem to be in the later group for some reason. Lucky me...

 

[PinkyMacGodess]

so Where is a good place to go and see any analysis of the code put out in these updates…. Kinda don’t have trust to just blindly download from Apple anymore

At some point you have to trust *someone*.

Do you drive a car? You have to trust that someone driving towards you isn't going to swerve over and hit you. It would be easy to do.

Do you walk on a sidewalk? Same thing...

Apple has screwed up updates a few times, but you have to, I have to, trust that they are doing their job well because I can't do that job myself. That goes for everything of a technological nature. I can't write firmare for a Cisco firewall, I just have to assume that they have done a good job trying to protect their customers, and me. It's not like clothes, where I could, say, make my next pair of pants, or fix a hole, or tear. The iPhone and iOS are easy to use, and provide a lot of flexibility to do the things I want to do. I have to trust them, and so many other entities and such all throughout my existence. Things, for the most part, seem to be managed fairly well. Planes don't fall out of the sky (all that much), cars get from point a to b, the TV works (usually), and the beer is cold. Existence is fraught with enough drama and stress. You have to trust, have faith, or go off the grid? I mean, *someone* could be watching me type this right now, and laughing at the reactions (if any), but I hope they are having fun, and they should remember that someone is very likely also watching them!

 

[PinkyMacGodess]

Yeah, it made sense pre-2010ish (before Apple was a huge HUGE company) that they used UNIX core and stuff that already existed. However, they have the money and resources for a long time now to either start all over from the ground up or to find stuff like this themselves before hackers do and exploit it. A perfect time to have written everything over from the ground up would have been when they were moving all devices to APFS. It’s just absolutely inexcusable considering how much money Apple has, how many users and devices there are out there, and how much time they have had the capability to make sure things like this don’t happen. Apple can market themselves as ensuring customer privacy and safety from malware, but now I see that it’s all just empty promises.

There are programs that can check code for flaws, but they only check for what they are programmed to find. I think there will always be flaws, ghosts in the machine, areas that are able to be exploited either for surveillance, or to do harm. And rewriting a complicated OS is not guarantee that the rewrite wouldn't open even more areas up for exploit.

 

[ender78]

Shame on Apple for employing people who created software code that would allow such a profound exploit to occur in the first place. Makes me wonder if there may be some double agents within Apple’s software team.

Name 5 things that you and your colleagues at work do with 100% perfection and zero errors, following all local laws and company procedures. If anyone violates any of these rules the entire staff of the entire team should be fired.

Finding bugs, and patching is a continuous lifecycle.

Not all bugs are malicious in nature/origin.

 

[ender78]

It’s just absolutely inexcusable considering how much money Apple has, how many users and devices there are out there, and how much time they have had the capability to make sure things like this don’t happen. Apple can market themselves as ensuring customer privacy and safety from malware, but now I see that it’s all just empty promises.

The list of people that can do this kind of work is finite; to say this can be solved with more people is naive. Can Apple do more, sure. Can Apple spend their way out of the problem, I do not believe so.

If a security researcher likes living where they live and doesn't want to work for Apple, they are not a resource Apple can hire.

Having bugs is not inexcusable, doing nothing to fix them is.

In the arms race, you continue to do new checks as vulnerabilities or vectors become known.

Software is hard.

 

[VulchR]

1. There are more ways that software can go wrong than there are atoms in the universe, so it's not possible to test every possible use case completely.

Very much doubt that.

2. Flawless complex code is extremely hard to write.

But finding bugs in code? Surely machines can augment the search for exploits. Anyway, I have installed Apple's updates on my machines, but I wonder how many other undiscovered exploits there. And I hope Apple considers that a higher priority than their CSAM surveillance project.

 

[PinkyMacGodess]

Very much doubt that.

But finding bugs in code? Surely machines can augment the search for exploits. Anyway, I have installed Apple's updates on my machines, but I wonder how many other undiscovered exploits there. And I hope Apple considers that a higher priority than their CSAM surveillance project.

This whole topic reinforces the adage that 'nothing tests like shipping it', meaning that you can look at a program from all angles, and *think* you have tested all of it, and yet... You ship it, and, *something happens*. Someone enters an off string into a field, and things go immediately sideways. It happens. Or a buffer that was 'huge', and likely impossible to overflow, is, and it hits the wall. Some of it is just sloppy programming, but some of it is because of limits in the language, or the compilers, etc.

And, like I said earlier, there are programs that can search code for errors, but they can only find what they are programmed to see. I'm sure there are major blind spots in some of those programs that would enable badness to slip through.

 

[Mercury7]

At some point you have to trust *someone*.

Do you drive a car? You have to trust that someone driving towards you isn't going to swerve over and hit you. It would be easy to do.

Do you walk on a sidewalk? Same thing...

Apple has screwed up updates a few times, but you have to, I have to, trust that they are doing their job well because I can't do that job myself. That goes for everything of a technological nature. I can't write firmare for a Cisco firewall, I just have to assume that they have done a good job trying to protect their customers, and me. It's not like clothes, where I could, say, make my next pair of pants, or fix a hole, or tear. The iPhone and iOS are easy to use, and provide a lot of flexibility to do the things I want to do. I have to trust them, and so many other entities and such all throughout my existence. Things, for the most part, seem to be managed fairly well. Planes don't fall out of the sky (all that much), cars get from point a to b, the TV works (usually), and the beer is cold. Existence is fraught with enough drama and stress. You have to trust, have faith, or go off the grid? I mean, *someone* could be watching me type this right now, and laughing at the reactions (if any), but I hope they are having fun, and they should remember that someone is very likely also watching them!

Mostly worried they will install spyware themselves at this point, so yeah I’m looking for an all clear before installing updates for now on, trust but verify… cook has proven he may have a different definition of privacy than I do, it is what it is

 

[PinkyMacGodess]

Mostly worried they will install spyware themselves at this point, so yeah I’m looking for an all clear before installing updates for now on, trust but verify… cook has proven he may have a different definition of privacy than I do, it is what it is

Paranoia is a slippery slope. Be careful... 👍🏼🤙

 

[Mercury7]

Paranoia is a slippery slope. Be careful... 👍🏼🤙

Yeah, I’m not trying to convince anyone else…. It’s just the way I view Apple now, they have not even pledged not to install the spyware on our devices yet… basically just said they would think about it, I‘ll get over it eventually

 

[Deguello]

I think there are in progress lawsuits over past hacks. Country? US (NSO has US offices I think) or Israel.
Cause? Selling exploits that are then used for "evil" purposes, violating laws on hacking user data, etc.

Here's one from 2019 over a Whatsapp exploit:

NSO Group lawsuit (re hacking WhatsApp users) - Business & Human Rights Resource Centre

www.business-humanrights.org

What law gives US companies to sue Israeli companies over this? Don’t confuse allegation of hacking a server (the claim in your cited case, which is US and not international, byway) with writing software.

What laws against hacking user data did this company violate?

 

[PinkyMacGodess]

Yeah, I’m not trying to convince anyone else…. It’s just the way I view Apple now, they have not even pledged not to install the spyware on our devices yet… basically just said they would think about it, I‘ll get over it eventually

The 'spyware' is coming from Israel, NOT Apple. You did know that, right?

 

[Mercury7]

The 'spyware' is coming from Israel, NOT Apple. You did know that, right?

Not referring to pagasus, csam

 

[PinkyMacGodess]

Not referring to pagasus, csam

It's not 'spyware' then, it's scanning things in iCloud accounts. I'd think Apple would have to be completely insane to carry through with that now. I didn't hear it was about scanning iOS devices. That would be really insane. I'd dial it down a bit. I thought COINTELPRO was about to happen again, and, well, who knows, but I like to think that it's less likely to happen, but could change next November.