New urgent iPhone update can’t protect you from Pegasus spy software

Apple announced the release of an emergency update in order to address some recently detected security flaws, including a couple errors that can be exploited remotely. Users need to upgrade to iOS 14.7 on their iPhone or iPad devices. Nonetheless, patches do not include a fix for a flaw that allows the installation of Pegasus spyware on Apple devices. The most recent reports indicate that threat actors abuse a zero-day vulnerability in the Apple iMessage feature in order to install the infamous spyware on the exposed devices.

This emergency update addresses a total of 40 flaws, of which 37 are iPhone-only. The most severe of these vulnerabilities would allow remote threat actors to execute arbitrary code with root user privileges on the affected devices.

As of now Apple considers that there are no reports of active exploitation, although the risk to government agencies is considered critical, so it is necessary to update as soon as possible.

Some of the major security patches address flaws that reside in WebKit, the Safari browser engine. All four vulnerabilities (CVE-2021-30758, CVE-2021-30795, CVE-2027-30797, and CVE-2021-30799) exist due to type confusion errors, use-after-free errors, and memory corruption flaws.

Apple’s report includes a list of the 40 flaws addressed in this emergency update.

Beside the updates, Apple issued a list of security recommendations to mitigate exploitation risk, which includes:

  • Run any tool as non privileged user
  • Avoid downloading files or applications from unknown sources
  • Do not visit platforms of suspicious appearance or dubious reputation

While the update was released earlier this week, the company kept technical details about these flaws undisclosed due to the risk of latent exploitation. It should be remembered that this is a standardized technique in the cybersecurity community to prevent the massive exploitation of zero-day flaws.

For the cybersecurity community, this is a network flag that Apple should seriously consider and not just fix the flaws detected to iMessage. Dirk Schrader, cybersecurity specialist, believes: “No device or operating system is 100% free from failures; this is a clear example that Apple needs to rethink its current approach to security, which researchers, manufacturers and users often consider more secure than their counterparts.”

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.