Solution for Pegasus Spyware on Mojave?

[dawindmg08]

I have several Macs -- including my. mother-in-law's iMac -- that are still running Mojave. With today's announcement of security fixes against the Pegasus Spyware I was wondering if there's any solution for an older OS, short of updating to Catalina or BigSur? I'm trying to find more info about the exploit at least -- does it only happen through iMessage or could any PDF downloaded to the Mac potentially install this thing?

TIA,
D

 

[Idgit]

I have several Macs -- including my. mother-in-law's iMac -- that are still running Mojave. With today's announcement of security fixes against the Pegasus Spyware I was wondering if there's any solution for an older OS, short of updating to Catalina or BigSur? I'm trying to find more info about the exploit at least -- does it only happen through iMessage or could any PDF downloaded to the Mac potentially install this thing?

TIA,
D

Has it been confirmed that Mojave is vulnerable to this exploit? I've seen no mention of Mojave or earlier macOS versions.

 

[dawindmg08]

Has it been confirmed that Mojave is vulnerable to this exploit? I've seen no mention of Mojave or earlier macOS versions.

My assumption was that this could affect *any* OS that wasn't patched today, and that fix was only pushed out to Catalina and Big Sur users.

 

[Idgit]

I'm not ready to give up Mojave yet. I still need to run some 32-bit apps, but I really despise the UI changes in Big Sur.

In the meantime, I use Little Snitch and Ransomwhere to alert me to any unknown or compromised app or process that tries to phone home or mess about on my system.

Unfortunately, those might be a bit too intrusive for your mother-in-law's system.

Hopefully in the next few days will find out if Mojave is affected.

 

[MarkC426]

My assumption was that this could affect *any* OS that wasn't patched today, and that fix was only pushed out to Catalina and Big Sur users.

It is not a case of 'if you don't do it today your screwed'.

Never download a pdf (or any type of file) from an unknown source.

 

[Mac Hammer Fan]

Apple neglects the users of Mojave. They should release a security update ?

 

[dawindmg08]

It is not a case of 'if you don't do it today your screwed'.

Never download a pdf (or any type of file) from an unknown source.

Been trying to read up on this exploit -- so it's specifically about downloading a bad PDF, yes? If they don't touch a PDF from an unknown sender they'll be good?

 

[dawindmg08]

FYI: more info about the various patches in this Macworld UK article.
Apple is offering the Safari 14.1.2 update in Mojave to patch the webkit side of the exploit. But there's no OS update for the CoreGraphics side -- the author was unsure whether or not Apple isn't going to bother with that OS or if Pegasus can't exploit Mojave. Would love to know about the latter; I can get my MIL to install the Safari patch at least but I know she'll be paranoid regardless.

 

[dawindmg08]

Update #2: i just chatted with "Apple Business Support" on my phone. FWIW:

"After doing some digging your security is at no risk. Pegasus does not affect macOS Mojave."

 

[edubfromktown]

Update #2: i just chatted with "Apple Business Support" on my phone. FWIW:

"After doing some digging your security is at no risk. Pegasus does not affect macOS Mojave."

Thanks for the info...

Preparing for EOL of macos 10.14. I guess in October/November Apple will stop pushing security updates

I have one 12" left running it (wifey has some 32-bit apps). Guess I'll have to bite the bullet and update to Catalina at some point.

 

[Mac Hammer Fan]

Update #2: i just chatted with "Apple Business Support" on my phone. FWIW:

"After doing some digging your security is at no risk. Pegasus does not affect macOS Mojave."

I doubt whether it is the truth.

Market Research Telecast

marketresearchtelecast.com

 

[Jupiter9]

Relax. You are not that important.

 

[DocNo]

Relax. You are not that important.

That's a ridiculous attitude. Now that the patch is out there, it can be easily analyzed to find out what is patched and others WILL start exploiting this now that there is a literal road map on how to exploit it readily available.

That's the double edged sword of patching.

Luckily I don't need messages on my one Mojave machine so I just went into messages and signed it out of iCloud. Not a great solution but better than nothing. I sincerely hope Apple does patch it!

 

[quaresma]

Apple just released another security update for Catalina yesterday. Once again Mojave is left out.

 

[MarkC426]

That's because Mojave is on the edge of the cliff, and about to fall off.
With Monterey about to drop, this is normal.

 

[Nicole1980]

Thanks for the info...

Preparing for EOL of macos 10.14. I guess in October/November Apple will stop pushing security updates

I have one 12" left running it (wifey has some 32-bit apps). Guess I'll have to bite the bullet and update to Catalina at some point.

No reason to give up Mojave hust because Apple stops patching it.

Number 1: The odds you'll be victimized by any of the few mac exploits is extremely unlikely.

Number 2: If you are concerned ... there are a number of third party mac anti spyware products that can give you peace of mind

 

[saudor]

I finally upgraded my system from mojave to big suck 11.6 after testing it on a test SSD since its release and it's actually ok now. Some parts of it run faster than mojave.

Still have a clone of mojave stashed in case i need to eat my words though

What's interesting is that some of my 3rd party apps, after upgrading to big suck, asked for permission to access my contacts, calendar, reminders, etc. There's no need for those permission given the nature of the app.

 

[Mac Hammer Fan]

Really a shame that Apple refuses to release a security update again for Mojave.

 

[dawindmg08]

What's interesting is that some of my 3rd party apps, after upgrading to big suck, asked for permission to access my contacts, calendar, reminders, etc. There's no need for those permission given the nature of the app.

FWIW that seems to be a common experience across the board. Even apps that I know are not malicious (like Adobe) are trying to access things like Contacts. It's bizarre but I guess you can always say NO and it shouldn't affect usability.

 

[Idgit]

I finally upgraded my system from mojave to big suck 11.6 after testing it on a test SSD since its release and it's actually ok now. Some parts of it run faster than mojave.

Still have a clone of mojave stashed in case i need to eat my words though

What's interesting is that some of my 3rd party apps, after upgrading to big suck, asked for permission to access my contacts, calendar, reminders, etc. There's no need for those permission given the nature of the app.

This is what I hate about Apple's security theater. Apple has locked down macOS so much with recent versions and have implemented all these changes that add *huge* amounts of inconvenience for the average user. And yet, every month there seems to be a new zero-day exploit of macOS in spite of all its security restrictions. I mean, ffs, a simple PDF payload bypasses all their restrictions with this Pegasus exploit.

Additionally, the security interface in System Preferences is so badly designed and awkward to use. I have several relatives who are boomers or elderly and they call me frequently for help because some programs (e.g., Zoom) on their Macs don't work. They don't understand how to grant access to these apps because of Apple's ****** UI design these days.

 

[saudor]

This is what I hate about Apple's security theater. Apple has locked down macOS so much with recent versions and have implemented all these changes that add *huge* amounts of inconvenience for the average user. And yet, every month there seems to be a new zero-day exploit of macOS in spite of all its security restrictions. I mean, ffs, a simple PDF payload bypasses all their restrictions with this Pegasus exploit.

Additionally, the security interface in System Preferences is so badly designed and awkward to use. I have several relatives who are boomers or elderly and they call me frequently for help because some programs (e.g., Zoom) on their Macs don't work. They don't understand how to grant access to these apps because of Apple's ****** UI design these days.

Dont get me started on that. Even on iOS, the settings panel is such a mess. They keep changing stuff and having used iPhone for a decade, it’s still annoying to find stuff i could easily find before. (E.g. disabling in-app purchases used to be under restrictions.. now it’s under screen time and can only be done if screentime is enabled)

Basically turned into Android.

 

[Mac Hammer Fan]

On Wikipedia I read about Mojave

Support status
Possibly unsupported as the last two security updates are not available for Mojave. June 2021 and September 2021 updates did not include Mojave.

 

[edubfromktown]

No reason to give up Mojave hust because Apple stops patching it.

Number 1: The odds you'll be victimized by any of the few mac exploits is extremely unlikely.

Number 2: If you are concerned ... there are a number of third party mac anti spyware products that can give you peace of mind

Staying as close as possible to the most recent updates on your devices/computers is the best protection. In addition to the ever changing malware and spyware variants (that still can easily fool endpoint products on up to commercial IDP/IDS/NGFW/UTM systems by changing a couple of bytes), there are plenty of new critical/high vulnerabilities that crop up across all operating system platforms and the 3rd party applications that run on them with regularity.

Beyond the devices themselves, I use an enterprise firewall platform at home, two raspberry Pi's (to sinkhole nefarious dns lookups), Wireguard VPN and other fun things. Even with all of that in place, I do not access the internet with any systems that can no longer can obtain updates.

I have a 24" white iMac and two Mini's from years ago that are running in isolated enclaves on my LAN at home with no default gateway set. This allows them to connect to other devices on the same LAN but nowhere beyond.

BSD UNIX and Debian Linux are among the most secure... macOS, not as much.

 

[Idgit]

Apple's Poor Patching Policies Potentially Make Users' Security and Privacy Precarious - The Mac Security Blog

Apple's practices regarding security updates are frustrating and perplexing, and may endanger users.

www.intego.com