Apple publishes security updates to its OSes targeting Pegasus software exploits.

Released versions: iOS 14.8, iPadOS 14.8, macOS 11.6 and watchOS 7.6.2. These updates are highly recommended to be installed on all devices containing personal or commercial information.

After identifying the vulnerability used by this exploit for iMessage, Apple rapidly developed and deployed a fix in iOS 14.8 to protect our users. We’d like to commend Citizen Lab for successfully completing the very difficult work of obtaining a sample of this exploit so we could develop this fix quickly. Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals. While that means they are not a threat to the overwhelming majority of our users, we continue to work tirelessly to defend all our customers, and we are constantly adding new protections for their devices and data.

Ivan Krstić, head of Apple Security Engineering and Architecture

Fixes include issue in Core Graphics which could lead to arbitrary code execution upon opening PDF document. Also WebKit bug potentially causing code execution is fixed.

Apple Support: About the security content of iOS 14.8 and iPadOS 14.8

References: Apple’s iOS 14.8 Update Fixes Zero-Click Exploit Used to Distribute Pegasus Spyware, Apple Releases macOS Big Sur 11.6 With Security Fixes, Apple Releases iOS 14.8 and iPadOS 14.8 With Security Updates, Apple releases watchOS 7.6.2 with important security update

Recommendations

Developer:

Check apps with new releases for compatibility issues.

QA engineer:

Check apps with new releases for regressions.

PM/DM:

Update devices to minimize risks.

Leave a comment