Apple issued an emergency update yesterday for a critical vulnerability discovered in its iPhones, Apple Watches, and Mac computers. Researchers at Citizen Lab discovered a no-click zero-day exploit that works on all Apple devices that do not have the latest update.
ForcedEntry
Citizen Lab first reported a zero-day vulnerability affecting Apple’s iMessage tool back in late August. The flaw was used to surreptitiously push Pegasus spyware onto the Apple devices of unsuspecting targets.
Further research revealed that ForcedEntry can also exploit a weakness in how Apple devices render images—providing another avenue for compromising a target device with a no-click zero-day attack.
Stay Calm
For most people, there is no need to panic. Yes, this newest Pegasus spyware is novel, invasive and can easily infect billions of Apple devices. But there is a solution available. Stay calm and simply get control of your device and download the software updates available from Apple.
Do that and move on.
Follow the guidance from Apple if you think you are infected and consult your IT department at work, school, etc. If none of those are an option for you, you can turn to Apple’s Genius Bar technicians for help.
With nearly 2 billion iPhones active around the world, 100 million Apple Watches being used and more than 100 million Macs, security can’t be a luxury for Apple and it’s not. It’s a responsibility they take seriously.
Combating Spyware
This type of software is generally a scourge. Spyware is ethically shady and generally operates within the darker side of the gray area between legal and illegal activity. There are potentially valid uses for monitoring or spyware tools, but the line between legitimate use and stalkerware is very thin, and the risk of abuse is significant.
The Pegasus spyware has been known for a while. What's novel is the subtle installation. These have happened in the past and should be a top priority to identify and fix for any vendor. Again, a top priority.
Make no mistake, the expanded data footprint and connected world with tens of billions of connected devices around the world means security will get harder.
Today, there is an immediate call to innovate. If you want the privileges of a connected world, today, tomorrow and beyond, we need to collectively get better at the security game. The attackers are investing, and so should we all.
Defending the Walled Garden
Relating to Apple security, failing is ok. Failing consistently is not.
Let's see how Apple addresses this. They are a generally more secure platform, but they must continue to invest and demonstrate commitment going forward. The most secure platform in the world can be cracked given time unless the security is maintained. An incident or two are not a cause for pitchforks and torches to come out. That comes later if things recur or are dealt with in a cavalier manner.
Now that the vulnerability is known, others will try to use it as quickly as possible. So, there is some sense of urgency for you to patch and fix things.