Apple releases emergency update to fix spyware vulnerability
Photo: Karolina Grabowska/Pexels
Apple pushed emergency software updates on Monday to address a vulnerability discovered by security researchers that allowed a spyware known as Pegasus to secretly infect devices.
As outlined in a blog post published Monday, cyber experts at the interdisciplinary Citizen Lab discovered a zero-day, zero-click exploit against iMessage while analyzing the phone of an anonymous Saudi activist.
"We determined that the mercenary spyware company NSO Group used the vulnerability to remotely exploit and infect the latest Apple devices with the Pegasus spyware," wrote the researchers, who said they believed the exploit has been in use since at least February 2021.
"Ubiquitous chat apps have become a major target for the most sophisticated threat actors, including nation state espionage operations and the mercenary spyware companies that service them," they added.
"We urge readers to immediately update all Apple devices," said the researchers.
WHY IT MATTERS
As The New York Times explained in its reporting about the incident, the Pegasus spyware can turn on a user’s camera and microphone and record messages, texts, emails and calls.
The zero-click capability allows such spyware to be installed without the user taking any action, such as clicking a link.
According to Citizen Lab, the exploit targets Apple's image rendering library and has been effective against Apple iOS, MacOS and WatchOS devices.
Apple's software update, released Monday, said, "Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited."
"After identifying the vulnerability used by this exploit for iMessage, Apple rapidly developed and deployed a fix," said a press statement by Ivan Krstić, head of Apple security engineering and architecture.
"Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals. While that means they are not a threat to the overwhelming majority of our users, we continue to work tirelessly to defend all our customers, and we are constantly adding new protections for their devices and data," Krstić added.
Pegasus spyware, sold by the NSO Group, has been discovered on the phones of activists, lawyers, journalists, doctors and children in Mexico, the United Arab Emirates and Saudi Arabia.
The company said in a statement to the Washington Post that it "will continue to provide intelligence and law enforcement agencies around the world with lifesaving technologies to fight terror and crime."
THE LARGER TREND
Although ransomware has tended to pose a more prominent threat to hospitals and health systems, spyware certainly carries its own dangers.
As experts recently noted at HIMSS21, the rise of state-licensed spyware, such as that sold by NSO Group, poses concerns.
"It's just getting worse and worse," said Brian Cady, director of information security architecture at Providence St. Joseph Health.
ON THE RECORD
"As presently engineered, many chat apps have become an irresistible soft target," wrote Citizen Lab researchers. "Without intense engineering focus, we believe that they will continue to be heavily targeted, and successfully exploited."
Kat Jercich is senior editor of Healthcare IT News.
Twitter: @kjercich
Email: kjercich@himss.org
Healthcare IT News is a HIMSS Media publication.