OS Security Updates Plug Image and Wallet Vulnerabilities Exploited by Pegasus Spyware
Security updates for Apple’s core operating systems address two zero-click vulnerabilities actively being exploited to deliver the NSO Group’s Pegasus spyware. Kudos to The Citizen Lab at the University of Toronto for identifying and reporting them to Apple. In the first vulnerability, processing a maliciously crafted image could lead to arbitrary code execution; it affects macOS, iOS, and iPadOS. In the second, the Wallet app could allow arbitrary code execution when processing a maliciously crafted attachment; only the current versions of iOS, iPadOS, and watchOS are at risk. Apple doesn’t list any other changes in these updates:
- macOS Ventura 13.5.2
- macOS Monterey 12.6.9
- macOS Big Sur 11.7.10
- iOS 16.6.1 and iPadOS 16.6.1
- iOS 15.7.9 and iPadOS 15.7.9
- watchOS 9.6.2
Although these vulnerabilities are severe, it’s improbable that normal Apple users would be targeted by a hostile government intelligence agency using Pegasus. (If you are concerned about being targeted by a nation-state, mash that Update button as fast as you can. And enable Lockdown Mode.) Nonetheless, I still recommend that everyone update soon because these zero-click vulnerabilities don’t require any user interaction to take over the device. They could theoretically be weaponized in spam email or text messages by online criminals as well.
It’s too bad Apple didn’t address these vulnerabilities with Rapid Security Response updates that are faster to install and easily reverted. The need for the initial watchOS update and subsequent coverage in older operating systems may be why, given that Rapid Security Responses are possible only for the current versions of macOS, iOS, and iPadOS (see “What Are Rapid Security Responses and Why Are They Important?” 2 May 2023).
Apple initially didn’t indicate whether these image and Wallet vulnerabilities would also affect older versions of its operating systems, but as I expected, Apple released updates to Monterey, Big Sur, and iOS and iPadOS 15 a few days later. Nonetheless, given that Citizen Lab reported the vulnerabilities to Apple only a week or so ago, it’s still an impressive turnaround time.
^^^ This.
I can’t be bothered to interrupt what I’m working on on several devices just because of a vagueness fest like “Apple is aware of a report that this issue may have been actively exploited.” Especially not when these days it seems to be occurring at a rate of about once every other week. I’ll consider putting on my OMG-my-hair’s-on-fire hat when one day it says “Apple knows this is being actively exploited”. I’ll get around to this one whenever I do. Zero doubt I’ll be just fine.
On one of the other sites, I had to chuckle when I came across this comment. Nonsense of course, but I still found it amusing.
My sense is that Apple’s stock phrase:
is exactly “OMG the bad guys are targeting people with this one.” The real question is, which bad guys?
If the bad guys in question are using the vulnerability to mass attack iPhones with spam email and text messages containing maliciously crafted images or attachments, that’s a real problem for everyone, and we should all be updating right away.
However, if it’s the likes of NSO Group exploiting the vulnerability to help Pegasus spy on activists, journalists, and the like, that’s bad, but it’s not the sort of thing that will affect 99.9999% of users (decimal places for effect, not accuracy).
And, whoa—it’s exactly that! I didn’t follow all the leads originally because the CVE numbers aren’t generally helpful for learning more right away, but I’m updating the article now.
So yeah, most people can probably chill out on this until it’s convenient to install.
Reportedly this zero-click vulnerability has been known to have been used and exploited by Pegasus. iOS 16.6.1 fixes zero-day exploit used by Pegasus spyware
Agree, however CIS grades these vulnerabilities as High risk to large and medium sized government and business entities; Medium to small sized. People associated with them should pay attention.
I updated Mac, phone and watch - took about 10 minutes without issue.
One of the luxuries of retirement is not having to worry if it breaks something at work - makes me far more likely to do these updates immediately…
I only have access to cellular connectivity right now, so I could only update Mac and iPhone at the time I got the news. Fortunately I had the presence of mind (again) to bring along a backup Wi-Fi hotspot device with an international roaming SIM, so I could update my watch as well, but it’s a clear gap in the approach Apple takes to mobile connectivity generally. As are stupid restrictions preventing automatic background syncing/backups/update downloading when on roaming data (because, what, roaming is always expensive?). Keep a Mi-Fi-type device (or equivalent) on hand.
Aside: Apple Watch is always more useful than you think. I very nearly didn’t bring it with me, but am so glad that I did! Between convenience and massive battery life, my Ultra is a marvellous travelling companion with me here in Turkey.
Heads up. 13.5.2 on the Mac breaks the Ka-Block! Safari ad blocker. Although the extension claims to be running, Safari’s pref pane says
Edit: Just to clarify, ad blocking still appears to work. But the feedback Safari gives users on the status of the plugin appears to indicate it’s not functional.
IIUC this isn’t a problem because content-blocking extensions in the Apple ecosystem work by updating a set of rules that are consulted by Safari, without further work from the extension. How did it used to be represented? My blocker of choice (Roadblock) has two extensions, but the blocker extension is still working fine despite not having any permissions, as expected.
Frustrating that my Apple Watch 3 is “too old” to take this watchOS security update. Hopefully Apple will cater for these older devices with an update soon.
I have absolutely no need to replace my watch with a bigger, more expensive model.
It’s extremely unlikely that Apple will update an obsolete version of watchOS, but unless you’re the sort of person who would be targeted by a foreign government intelligence agency, it’s not worth the CPU cycles to think about at all. And if you are such a person, you shouldn’t be using any hardware that can’t be kept completely up to date with security fixes.
Although in general I would agree with that, the last time their was a watchOS security update back in June, Apple did publish a separate one for Watch 3 only. Doesn’t mean there will be any more and Apple will always eventually stop supporting all legacy hardware.
Added: And I see Apple just released an iOS/iPad/iPodOS 15.7.9 update for older hardware. iPads mini4 & Air 2, iPhones 6s, SE & 7, iPod touch 7G.
Yeah, I was intrigued to see those macOS and iOS/iPadOS updates appear today, but not a watchOS 8 update.
Today’s iOS/iPodOS update was a fix to only the ImageIO fault, whereas the watchOS 9 update was only for the Wallet fault. Perhaps the Wallet fault does not impact older iDevices and almost certainly the ImageIO fault does not play a role on any Watch.
My old iPhone just updated to 15.7.9. I assume it is for the same security update.
Yep, I updated the article when Apple released those updates a few days later since they weren’t worth another article on their own.