The flaw, reported Monday by Citizen Lab, allowed a hacker using the NSO Pegasus malware to access a device owned by a Saudi activist, according to security investigators.
Per i Bloomberg
Apple Inc. he said he fixed a security flaw in the Messages app after security investigators determined the Israel-based NSO group was using it to “exploit and infect” the latest spyware devices.
The flaw, reported Monday by Citizen Lab, allowed a hacker using NSO’s Pegasus malware to access a device owned by an unnamed Saudi activist, according to security investigators. Apple said the defect could be exploited if a user of a vulnerable device received a “malicious” PDF file.
The flaw was a “zero day” vulnerability, a term that refers to recently discovered bugs that hackers can exploit and have not yet been fixed. Victims did not have to click on the malicious file to infect their devices, something known as “zero-click” exploitation, according to a report released by Citizen Lab, a cyber-research unit at the University of Toronto.
“What stands out is that chat apps are the soft belly of device security,” John Scott-Railton, a senior researcher at Citizen Lab, said in a text message. “They are ubiquitous, which makes them really attractive, so they are an increasingly common target for attackers.
“They have to be a major priority for safety,” he added. “Reducing the attack surface from chat apps will serve to make all of our devices more secure.”
Apple is fixing the bug on iPhone, iPad, Mac and Apple Watch using software updates iOS 14.8, iPadOS 14.8, macOS 11.6 and watchOS 7.6.2. Software versions arrived the day before Apple’s product launch event on September 14, which will likely spur the release of iOS 15, Apple’s next major software update that will contain additional security protections .
“Apple is aware of a report that could have actively exploited this issue,” the iPhone maker said on its website.
Shares of Apple changed little in extended trading after closing at $ 149.55 in New York.
The NSO group, in a statement, said the company “will continue to offer intelligence and police agencies around the world life-saving technologies to fight terrorism and crime.”
The NSO group has been the subject of repeated criticism by Citizen Lab and other organizations after its spyware was discovered on the phones of activists and journalists criticizing repressive regimes. In its report Monday, Citizen Lab accused the NSO group of facilitating “despotism as a service to inexplicable government security agencies” and argued that “regulation” is necessary. “
The NSO group has insisted that spyware is intended to be used to fight terrorism and crime, not to aid in human rights abuses.
In June, the company released its first “Transparency and Accountability Report,” which advocated its technology and efforts to curb customer misuse.
The White House has raised concerns about the NSO group with senior Israeli officials, the Washington Post reported.
In December, Citizen Lab reported that NSO spyware was being used to target the devices of 36 Al Jazeera employees. Citizen Lab said it believed the hacks were carried out on behalf of Saudi Arabia and the United Arab Emirates. The 2020 hack is similar to the one released Monday because it did not require the victim to click on a malicious link, which means there is no way to defend against the hack. NSO Group denied the report.