iPhone users, stop, drop and update now. Apple has issued a patch for a number of code-execution vulnerabilities, many of which are remotely exploitable. Experts are emphatically encouraging an ASAP update to version 14.7 of iOS and iPadOS. You should have already received a notice on your device and the patch address a total of 40 vulnerabilities, 37 of which are in iPhones. The most severe of the flaws could allow for arbitrary code execution with kernel or root privileges. That means that a bad actor in a far off land could gain the highest level access to your iPhone.
Unfortunately, you aren’t getting a fix for the flaw that makes your iPhones easy prey for Pegasus spyware. This week’s headlines have focused on a zero-click zero-day in Apple’s iMessage feature being exploited by Pegasus mobile spyware that allows malicious actors to secretly take remote control and monitor all activity of an iPhone. How? It’s done without any interaction by a user and the attack can come in by email, social media, gaming apps, dating apps or even a simple text message. The private security group NSO sells Pegasus to unidentified third-parties, including governments who use it to infect the phones of journalists, dissidents, human rights workers and other people who may be critical to repressive regimes. Earlier this week NSO suffered a data breach which leaked over 50,000 of their customer records, revealing the depth of their surveillance. If you’re interested in learning more about this event, tune into ThinkTech.com today at 1pm where Jay Fidell and I will be chatting about its implications.
This latest breach calls into question whether Apple’s security can bear the weight of protecting those belonging to groups historically targeted with spyware and surveillance. It’s given the security community pause about the security of Apple’s closed ecosystem and if the company’s lack of transparency of their security problems will hurt the global community at large. Only time will tell.
Stay safe out there