You may have heard about the ongoing Pegasus hack that affected iOS. AppleInsider now reports that Apple has issues patches and updates to older versions of iOS and macOS for three zero-day vulnerabilities that were reportedly exploited by the infamous Pegasus spyware.
iOS 12.5.5 contains a fix for a CoreGraphics flaw that could be exploited
The mentioned above CoreGraphics flaw allowed malicious users to execute code on a device through maliciously created PDF files. It is possible this vulnerability has been exploited in the wild, according to a support document by Apple.
The affected iPhone and iPad models are older ones: iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3. The zero-day vulnerability was discovered by Citizen Lab, a laboratory at the University of Toronto's Munk School of Global Affairs. Because of the involvement of Citizen Lab, it is possible that NSO used that vulnerability for its Pegasus spyware tool.
Citizen Lab has been actively following NSO and the impact it has on human rights and the global political landscape. So far, the initiative has discovered multiple zero-day vulnerabilities connected to the way the Pegasus malware achieved its purposes. Allegedly, the Pegasus spyware was used by authoritative governments to gain access and surveil iPhones of journalists, activists, government officials, and other people.
The Pegasus malware is sometimes deployed as a zero-click attack. Back in the summer, there was a reported case of bypassing Apple's security protocols in Messages and using the Pegasus spyware on a Bahraini human rights activist's iPhone 12 Pro. Apple hurried to release a fix for the impacted iOS 14 version in September. Separate attacks have been reported using Photos and Apple Music.
What is the Pegasus spyware, zero-day vulnerability, and how to fix it?
Back in August, a report by the Washington Post and 16 media partners have made the startling discovery that the phones of 37 journalists and human rights activists had been either attempted to or successfully hacked by an Israeli surveillance firm. The firm was the NSO.
The Pegasus spyware was able to read text messages, track calls, collect passwords, track location, access the victim's microphone and camera, and get information from apps installed on the hacked device.
A zero-day vulnerability is basically a very major vulnerability that's known to hackers but unknown to the developers. That's where the name zero-day comes from, as in the developer get zero days to fix the issue and release a patch. The zero-day vulnerability can become a zero-day attack when a malicious user directly exploits the vulnerability and the developer has no way of preventing it.
It seems the Pegasus spyware was reportedly using several of such vulnerabilities which Apple has now patched and can no longer be used.
Recently, we reported on the fact that not only highly authoritative governments use the Pegasus tool. Germany has admitted to purchasing NSO's spyware, but the country claimed it was used only in accordance with its very strict laws on privacy.
Officials from Germany's Federal Criminal Police office have only activated certain functions of the Pegasus software against known criminals and have respected the country's privacy laws. However, it is unclear what restrictions on the spyware have been put in place and whether they were effective. There's also no information about how often Pegasus was used and against whom.
The zero-day vulnerability has to be fixed by the developer. What you can do is, if you have one of the older iPhones or iPads listed here above, make sure to download and install iOS version 12.5.5. For the newer phones that are on iOS 14, Apple has already released a fix that patches such two zero-day vulnerabilities. If you have skipped it, we strongly suggest you install iOS version 14.8 and iPadOS 14.8 to secure your iPhone or iPad.