If you have to update your Apple devices again, you have to update your Apple devices again, because spyware is bad Apple patched flaws used to plant Pegasus and Predator spyware.
The three vulnerabilities include a weakness in WebKit, the browser engine that powers Safari, a certificate validation bug that can allow a malicious app to run on a affected device, and a third bug that can be used to gain broader access to the kernel, the core of the operating system. These three vulnerabilities form part of an exploit chain, where the bugs are used together to gain access to a target's device.
The bugs come just days after iOS 17's release, which includes a variety of new security and privacy features aimed at limiting the likelihood of cyberattacks, such as spyware.
It also said Apple is only aware of active exploitation targeting users running iOS 16.7 and earlier. Apple has also back-ported the bugs to iOS 16.7, and older versions of macOS Ventura and Monterey, and watchOS.
The bugs were discovered by Maddie Stone, a researcher at Google's Threat Analysis Group, which investigates state-backed threats and Citizen Lab's Bill Marczak. In blog posts published Friday, both Google and Citizen Lab confirmed that Apple's latest updates were to block an exploit used to plant the Predator spyware on the phone of an Egyptian presidential candidate.
Predator, a software product developed by Cytrox, a rival of Intellexa, can steal the contents of a person's phone by spoofed text messages pointing to malicious websites, making it a good way to spy on a person's phone. In a U.S. government denylist, Cytrox and Intellexa were added to the list earlier this year, effectively banning U.S. companies from doing business with them.
This was Apple's second high-profile security update dropped in recent months, according to the company's website. Citizen Lab said it has discovered evidence of a zero-click vulnerability on a fully up-to-date iPhone to plant the Pegasus spyware, developed by NSO Group. The target was a person working for an unnamed Washington-based organization.
The vulnerability was used as part of an exploit chain named BLASTPASS, because it involved PassKit, a framework that allows developers to include Apple Pay in their apps.
Marczak, speaking at TechCrunch Disrupt on Thursday, said that this vulnerability resulted from a failed attempt to hack this U.S.-based victim's device.
Marczak said that he was not satisfied with the results of the commission's investigation. s WebP image library, which is embedded into the iPhone. Attackers have found a way to exploit this to run arbitrary code within Apple's iMessage sandbox to install spyware on the system.