Security updates for Apple’s core operating systems address two zero-click vulnerabilities actively being exploited to deliver the NSO Group’s Pegasus spyware. Kudos to The Citizen Lab at the University of Toronto for identifying and reporting them to Apple. In the first vulnerability, processing a maliciously crafted image could lead to arbitrary code execution; it affects macOS, iOS, and iPadOS. In the second, the Wallet app could allow arbitrary code execution when processing a maliciously crafted attachment; only the current versions of iOS, iPadOS, and watchOS are at risk. Apple doesn’t list any other changes in these updates:
- macOS Ventura 13.5.2
- macOS Monterey 12.6.9
- macOS Big Sur 11.7.10
- iOS 16.6.1 and iPadOS 16.6.1
- iOS 15.7.9 and iPadOS 15.7.9
- watchOS 9.6.2
Although these vulnerabilities are severe, it’s improbable that normal Apple users would be targeted by a hostile government intelligence agency using Pegasus. (If you are concerned about being targeted by a nation-state, mash that Update button as fast as you can. And enable Lockdown Mode.) Nonetheless, I still recommend that everyone update soon because these zero-click vulnerabilities don’t require any user interaction to take over the device. They could theoretically be weaponized in spam email or text messages by online criminals as well.
It’s too bad Apple didn’t address these vulnerabilities with Rapid Security Response updates that are faster to install and easily reverted. The need for the initial watchOS update and subsequent coverage in older operating systems may be why, given that Rapid Security Responses are possible only for the current versions of macOS, iOS, and iPadOS (see “What Are Rapid Security Responses and Why Are They Important?” 2 May 2023).
Apple initially didn’t indicate whether these image and Wallet vulnerabilities would also affect older versions of its operating systems, but as I expected, Apple released updates to Monterey, Big Sur, and iOS and iPadOS 15 a few days later. Nonetheless, given that Citizen Lab reported the vulnerabilities to Apple only a week or so ago, it’s still an impressive turnaround time.