Apple released iOS 14.7.1 update including a security fix for a vulnerability actively exploited, possibly by spyware like Pegasus to execute zero-click attacks on iPhone owners. Recently, Amnesty International and a media consortium led by Forbidden Stories published a new database of iOS and Android mobiles of journalists, activists, and rival politicians hacked by authoritarian governments via Pegasus. The victims were tracked, monitored, and subjected to state violence.
Pegasus is private spyware developed by Israeli-based company NSO for iOS and Android devices. The spyware uses an iMessage vulnerability to carry out zero-day exploits which do not require any action from the victim and with a single text message, perpetrators access the victims’ smartphone to track the victims’ location, read their emails, messages, stored data, collect passwords, contacts, and much more. For the brutal murder of Saudi journalist Jamal Khashoggi, humans rights groups accuse the Saudi government of using Pegasus to track, trap and kill him.”
Apple finally patched a zero-day vulnerability in iOS, iPadOS, and macOS
The Register reports that the recent software update fixed an existing security flaw.
The bug, CVE-2021-30807, was found in the iGiant’s IOMobileFrameBuffer code, a kernel extension for managing the screen frame buffer that could be abused to run malicious code on the affected device.
CVE-2021-30807, credited to an anonymous researcher, has been addressed by undisclosed but purportedly improved memory handling code.
Although the company acknowledged the vulnerability, it did not provide information about the attackers.
“An application may be able to execute arbitrary code with kernel privileges,” the iDevice maker said in one of its duplicative advisories. “Apple is aware of a report that this issue may have been actively exploited.”
Apple did not, however, say who might be involved in the exploitation of this bug. Nor did the company respond to a query about whether the bug has been exploited by NSO Group’s Pegasus surveillance software.
Cybersecurity researchers called on Apple and Google to do more for users’ protection against sophisticated surveillance tools. And demanded that tech giants give access to their operating systems to understand how attacks are created and executed.
Apple reiterated its standard claim that iPhone is the “safest, most secure consumer mobile device on the market.” But researchers say that “it was easier to find evidence of exploitation on iOS devices than those running stock Android.” Therefore, Johns Hopkins University cryptographer Matthew Green said, “Apple is trying, but the problem is they aren’t trying as hard as their reputation would imply.”