Apple has just released an emergency patch to fix a security flaw that compromised the iMessage messaging application, making it vulnerable to spyware.
This flaw compromises the security of iPhones, iPads, Macs and Apple Watches, so it is recommended to update the software of these devices.
Urgent security update, due to vulnerability in iMessage
Citizen Lab security firm denounced the existence of a security flaw in Apple’s operating systems, after investigating a phone infected with the spyware Pegasus, which belonged to a Saudi activist. In their discovery, they detected that NSO Group, an Israeli technology company, had allegedly exploited a vulnerability called “zero click” in iMessage, to infect the target device.
John Scott-Railton, investigador de Citizen Lab, he pointed to the New York Times that through this exploit, whoever handles it can do “Everything an iPhone user can do on their device and more”, once infected. This ranges from the monitoring of messages, calls and emails, something common within these attacks, to more elusive elements, such as encrypted communications through applications such as Signal or Telegram. More than opening a space for a simple glimpse of an intruder, this problem is, almost literally, about putting a mobile phone in the hands of others.
According to what the same newspaper reports, Ivan Krstić, Apple’s head of security engineering and architecture, commented that “Attacks such as those described are very sophisticated, cost millions of dollars to develop, often have a short lifespan, and are used to target specific individuals.”, along with praising the work of Citizen Lab.
Unlike attacks that require some action by the target user to activate, such as those that are triggered by executing an attached file or through a malicious link, these types of exploits do not require any input from the user. . In this case, NSO simply needed to attach a malware-laden message through iMessage, taking advantage of a vulnerability in its code that made it invisible to its recipient, without the recipient noticing any suspicious activity.
As a security and responsibility measure, to prevent the detected vulnerability from advancing to a larger scale, when a security firm detects an anomaly of this kind, it is first notified to the responsible company, so that it can be corrected before making it visible to the public. general. This specific problem has already been corrected by Apple, through the update CVE-2021-30860.
Therefore, according to Apple’s report, to correct this problem it is necessary to have at least the versions of iOS 14.8, iPad OS 14.8, watchOS 7.6.2, macOS Big Sur 11.6 and the security update 2021-005 for macOS Catalina.
Additionally, Apple has reported that among their plans they contemplate adding new security safeguards for iMessage, which would arrive with iOS 15, a version that is expected by the end of the year.