Here we go again. Bill Marczak of The Citizen Lab at the University of Toronto and Maddie Stone of Google’s Threat Analysis Group have identified three more Apple-focused security vulnerabilities that are actively being exploited. Although there’s no corresponding blog post that clarifies, as with the last time this happened (see “OS Security Updates Plug Image and Wallet Vulnerabilities Exploited by Pegasus Spyware,” 7 September 2023), it seems likely that these vulnerabilities are being used by the NSO Group’s Pegasus spyware.
One of the vulnerabilities allows arbitrary code execution while processing Web content, another allows a malicious app to bypass signature validation, and the third could allow a local attacker to elevate their privileges. To me (backed up by Security Editor Rich Mogull), that sounds like a full exploit chain.
Apple has released updates for the two most recent versions of iOS, iPadOS, and watchOS, plus the two versions of macOS before macOS 14 Sonoma, which is due out next week. (You won’t be offered the updates for iOS 17.0.1, iPadOS 17.0.1, or watchOS 10.0.1 if you were receiving beta updates; turn them off to see the latest.) Install everything using Software Update.
The release notes are nearly identical for all the updates:
- iOS 17.0.1 and iPadOS 17.0.1
- iOS 16.7 and iPadOS 16.7
- watchOS 10.0.1
- watchOS 9.6.3
- macOS Ventura 13.6
- macOS Monterey 12.7
On the assumption that these vulnerabilities are being exploited by Pegasus and not something that targets a broader swath of users, I suggest that most people need not update immediately but should do so as soon as is convenient. For instance, take advantage of the Update Tonight option if possible. On my iPhone 14 Pro, installing the iOS 17.0.1 update took about 13 minutes.
Be aware that Apple says exploits targeting these vulnerabilities may have been used against versions of iOS before iOS 16.7. That may mean anyone whose device can’t upgrade past iOS 15 or iPadOS 15 remains vulnerable. Again, for most people, that’s probably not cause for concern, but if you’re worried about being targeted by a nation-state, get a new iPhone, upgrade to the latest version of iOS, and turn on Lockdown Mode.