Apple issues emergency update for iPhones, Macs and Apple Watches — what to do now [updated]

1. Home
2. News
3. Security

Apple issues emergency update for iPhones, Macs and Apple Watches — what to do now [updated]

(Paradigm credit: Yalcin Sonat/Shutterstock)

Updated to include comment from Apple tree and NSO Grouping.

Apple tree on Monday (Sept. 13) released updates for iOS, iPadOS, macOS, watchOS and Safari to prepare two zippo-24-hour interval flaws that are actively being exploited by hackers. At least one of the flaws has been used past commercial spyware to break into the phones of political activists in Persian Gulf countries.

You'll desire to update your iDevices to iOS and iPadOS 14.eight, macOS Big Sur xi.6, watchOS 7.half dozen.two and Safari 14.one.two. MacOS 10.15 Catalina gets a security update without a new version number, while the Safari update is for Catalina and its predecessor, macOS ten.14 Mojave.

• WhatsApp to offer 'end-to-cease' encrypted backups — what you lot demand to know
• The best Mac antivirus software
• Plus: iPhone 13 — here'south how Apple can convince people to upgrade

Nosotros know some details well-nigh one of the two flaws, catalogued as CVE-2021-30860, which affects the Apple CoreGraphics component on iOS, iPadOS, watchOS, Big Sur and Catalina, but not Safari on its own.

Apple tree'south security advisories state that because of this vulnerability, "processing a maliciously crafted PDF may lead to capricious lawmaking execution." In other words, if you view a booby-trapped PDF, your system can be hacked over the internet.

This flaw was discovered concluding calendar month by Citizen Lab researchers at the University of Toronto who had examined the iPhones of nine Bahraini dissidents. The researchers called the exploit of the vulnerability "FORCEDENTRY" and said it was used by the Pegasus spyware, commercial spyware adult and distributed by Israel-based NSO Group.

Today, Citizen Lab disclosed that the aforementioned exploit was used on an iPhone belonging to a Saudi political activist. The exploit permits takeover of an iPhone if the user receives a message in iMessage. No user action is needed to trigger the exploit, leading data-security experts to phone call it a "cypher-click exploit."

The other vulnerability, catalogued as CVE-2021-30858, is more than mysterious. It is a flaw in WebKit, the Safari rendering engine, and its discovery is credited to "an anonymous researcher."

Apple states that "processing maliciously crafted web content may lead to arbitrary code execution" — again, nasty spider web stuff can hack your device.

This flaw affects iOS, iPadOS, Big Sur and Safari, merely not watchOS or Catalina. As with the other flaw, Apple says that it is "aware of a study that this outcome may have been actively exploited."

Shortly later on Apple tree released the patches, Reuters posted a story about the intelligence services of the United Arab Emirates hacking the iPhones of domestic political activists and foreign diplomats and politicians. It's not even so clear whether either zero-day flaw patched today is involved.

Apple tree kicks off its annual fall extravaganza Tuesday (Sept. 14), and it's probable that the iPhone 13 will exist unveiled forth with iOS xv.

Apple later on Monday released the post-obit statement to media outlets, attributable to Ivan Krstić, the visitor'southward head of security engineering.

"Afterward identifying the vulnerability used by this exploit for iMessage, Apple chop-chop adult and deployed a fix in iOS xiv.8 to protect our users. We'd like to commend Citizen Lab for successfully completing the very hard work of obtaining a sample of this exploit so we could develop this fix speedily.

Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, frequently have a short shelf life, and are used to target specific individuals. While that means they are non a threat to the overwhelming majority of our users, we proceed to work tirelessly to defend all our customers, and we are constantly adding new protections for their devices and information."

In a statement to media, NSO Group had this to say.

"NSO Grouping will continue to provide intelligence and law-enforcement agencies around the world with life-saving technologies to fight terror and law-breaking."

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has as well been a dishwasher, fry melt, long-booty driver, code monkey and video editor. He'due south been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random Television news spots and even moderated a panel discussion at the CEDIA home-technology briefing. You tin follow his rants on Twitter at @snd_wagenseil.

Source: https://www.tomsguide.com/news/apple-zero-day-patches-sept-2021

Posted by: demerslofiressamed1986.blogspot.com

Share this post