Apple Patches a NSO Zero-Day Flaw Affecting All Devices (techcrunch.com) 29
Apple has released security updates for a newly discovered zero-day vulnerability that affects every iPhone, iPad, Mac and Apple Watch. Citizen Lab, which discovered the vulnerability and was credited with the find, urges users to immediately update their devices. From a report: The technology giant said iOS 14.8 for iPhones and iPads, as well as new updates for Apple Watch and macOS, will fix at least one vulnerability that it said "may have been actively exploited." Citizen Lab said it has now discovered new artifacts of the ForcedEntry vulnerability, details it first revealed in August as part of an investigation into the use of a zero-day vulnerability that was used to silently hack into iPhones belonging to at least one Bahraini activist.
Last month, Citizen Lab said the zero day flaw -- named as such since it gives companies zero days to roll out a fix -- took advantage of a flaw in Apple's iMessage, which was exploited to push the Pegasus spyware, developed by Israeli firm NSO Group, to the activist's phone. Pegasus gives its government customers near-complete access to a target's device, including their personal data, photos, messages and location.
Last month, Citizen Lab said the zero day flaw -- named as such since it gives companies zero days to roll out a fix -- took advantage of a flaw in Apple's iMessage, which was exploited to push the Pegasus spyware, developed by Israeli firm NSO Group, to the activist's phone. Pegasus gives its government customers near-complete access to a target's device, including their personal data, photos, messages and location.
"Named such because..." (Score:2)
I al;ways thought zero-day flaw referred to the number of days that it took to discover the flaw since the last fix or security update.
Otherwise basically every flaw is a zero-day flaw, because a company never has any days to roll out a fix before they know about it.
Re:"Named such because..." (Score:5, Informative)
I think "zero day" indicates that it's publicly disclosed, so that the vendor has no heads-up to patch it. There have been many cases where the discoverer notifies the vendor privately so that the vendor has an opportunity to patch it. Of course those premises go back to the days when there hasn't been a 24x7 news cycle, social media firestorms, etc.
Re: (Score:2)
Which would apply to any publicly known bug or flaw for which no fix happens to yet be available. Basically it becomes a catch-all phrase for any unpatched exploit. Why the fuck even bother with the buzzword "zero-day", then?
It becomes an overbroad net that completely ignores whether or not the company might have even been actively working on getting a fix ready but the bug was disclosed before they had issued the update, and so effectively ignores its own supposed criteria of whether or not the compa
Re: (Score:2)
Some exploits are discovered before they are exploited in the wild. These are not zero day bugs and don't become zero day bugs just because a patch becomes public.
You can't misinterpret something and then complain that it's a meaningless term based on your misunderstanding. Maybe try to understand how things actually work before shooting off your mouth.
Re: (Score:2)
Which is all but wholly meaningless. What is the difference between "zero-day" and "unpatched exploit"?
Re: (Score:2)
Re: (Score:2)
what about iPhone 5? (Score:1)
I wonder if this affects my ancient iPhone 5 (no "S") ;)
Re: (Score:2)
Probably - somebody was saying elsewhere that it's the GIF interpreter.
If you're using an iPhone 5 on the Internet or phone network you should assume adversaries are on it. That's unfortunate but the state of technology.
Re: (Score:1)
Android (Score:5, Funny)
People with Android phones asking, what's an update?
Re: (Score:2)
Mostly true. However, with Pixel 6 running on custom hardware, Google finally seems to be promising 5 years of updates. One wonders if Qualcomm will finally see the light? Probably not...
Re: (Score:2)
Qualcomm makes money selling chips. Short update cycles mean they sell more chips. It's in their interest to not offer updates.
Re: (Score:2)
Ouch (Score:2)
He had an idea: Run their batteries down until he could deal with their repair. I also thought that putting them in an (non-running!) microwave oven might block their radio signals, too. But he's still concerned that his identity was filched.
Media not reporting as "Israeli hacking"? (Score:2, Interesting)
Anyone in Russia hacking and it's Russian hacking.
Anyone in China hacking and it's Chinese hacking.
Anyone in Israel hacking and it's....?
You'd have to be a complete dickhead to not spot the obvious hypocrisy and its part in weaving the whole modern narrative of bullshit we're force fed.
Re: (Score:2)
Anyone in Russia hacking and it's Russian hacking.
Anyone in China hacking and it's Chinese hacking.
Anyone in Israel hacking and it's....?
You'd have to be a complete dickhead to not spot the obvious hypocrisy and its part in weaving the whole modern narrative of bullshit we're force fed.
This is nothing new. Just check the headlines here in /. in the last 20 years and you will find the same pattern.
Anything bad from Russia/China/etc, it will be “Russian xxxx did xxx”, while American/Israeli did the same thing, it would be “[specific group] did xxx”. This case being a perfect example, if NSO were Russian, the headline would surely be “... Patches a Russian exploit ...”
Always associate Russia/China with bad acts, while avoiding the same for the US and all
You were saying, Craig Federighi? (Score:1)
There may be problems with this update (Score:2)
Re: (Score:2)