Follow Slashdot stories on Twitter

 


Forgot your password?
Close
typodupeerror
×
Security Apple

Apple Patches a NSO Zero-Day Flaw Affecting All Devices (techcrunch.com) 29

Posted by msmash from the PSA dept.
Apple has released security updates for a newly discovered zero-day vulnerability that affects every iPhone, iPad, Mac and Apple Watch. Citizen Lab, which discovered the vulnerability and was credited with the find, urges users to immediately update their devices. From a report: The technology giant said iOS 14.8 for iPhones and iPads, as well as new updates for Apple Watch and macOS, will fix at least one vulnerability that it said "may have been actively exploited." Citizen Lab said it has now discovered new artifacts of the ForcedEntry vulnerability, details it first revealed in August as part of an investigation into the use of a zero-day vulnerability that was used to silently hack into iPhones belonging to at least one Bahraini activist.

Last month, Citizen Lab said the zero day flaw -- named as such since it gives companies zero days to roll out a fix -- took advantage of a flaw in Apple's iMessage, which was exploited to push the Pegasus spyware, developed by Israeli firm NSO Group, to the activist's phone. Pegasus gives its government customers near-complete access to a target's device, including their personal data, photos, messages and location.
This discussion has been archived. No new comments can be posted.

Apple Patches a NSO Zero-Day Flaw Affecting All Devices More

Apple Patches a NSO Zero-Day Flaw Affecting All Devices

Comments Filter:

  • Citizen Lab said the zero day flaw -- named as such since it gives companies zero days to roll out a fix ...

    I al;ways thought zero-day flaw referred to the number of days that it took to discover the flaw since the last fix or security update.

    Otherwise basically every flaw is a zero-day flaw, because a company never has any days to roll out a fix before they know about it.

    • Re:"Named such because..." (Score:5, Informative)

      by gregarican ( 694358 ) on Monday September 13, 2021 @04:18PM (#61793035) Homepage

      I think "zero day" indicates that it's publicly disclosed, so that the vendor has no heads-up to patch it. There have been many cases where the discoverer notifies the vendor privately so that the vendor has an opportunity to patch it. Of course those premises go back to the days when there hasn't been a 24x7 news cycle, social media firestorms, etc.

  • I wonder if this affects my ancient iPhone 5 (no "S") ;)

    • Probably - somebody was saying elsewhere that it's the GIF interpreter.

      If you're using an iPhone 5 on the Internet or phone network you should assume adversaries are on it. That's unfortunate but the state of technology.

      • Re: (Score:1)

        by Anonymous Coward
        Nope, it's a PDF vulnerability in CoreGraphics. Oddly the content of CVE-2021-30860 [mitre.org] has been withdrawn from MITRE Corp., but the gist of it is still mentioned in HT212806 [apple.com] on Apple's site.

  • Android (Score:5, Funny)

    by ArchieBunker ( 132337 ) on Monday September 13, 2021 @04:22PM (#61793051)

    People with Android phones asking, what's an update?

    • Mostly true. However, with Pixel 6 running on custom hardware, Google finally seems to be promising 5 years of updates. One wonders if Qualcomm will finally see the light? Probably not...

      • Re: (Score:2)

        by tlhIngan ( 30335 )

        Mostly true. However, with Pixel 6 running on custom hardware, Google finally seems to be promising 5 years of updates. One wonders if Qualcomm will finally see the light? Probably not...

        Qualcomm makes money selling chips. Short update cycles mean they sell more chips. It's in their interest to not offer updates.

      • More phone makers have to come onboard with this. I'd pay more money for a phone with more time of officially supported updates.

  • Ouch (Score:2)

    by kackle ( 910159 )
    I wonder whether my friend just got hit with this. His Apple laptop, tablet and phone all started acting funny, and he was unable to "reset" them, he said. Then, they started turning themselves on without intervention. Creepy.

    He had an idea: Run their batteries down until he could deal with their repair. I also thought that putting them in an (non-running!) microwave oven might block their radio signals, too. But he's still concerned that his identity was filched.

  • Anyone in Russia hacking and it's Russian hacking.

    Anyone in China hacking and it's Chinese hacking.

    Anyone in Israel hacking and it's....?

    You'd have to be a complete dickhead to not spot the obvious hypocrisy and its part in weaving the whole modern narrative of bullshit we're force fed.

    • Re: (Score:2)

      by khchung ( 462899 )

      Anyone in Russia hacking and it's Russian hacking.

      Anyone in China hacking and it's Chinese hacking.

      Anyone in Israel hacking and it's....?

      You'd have to be a complete dickhead to not spot the obvious hypocrisy and its part in weaving the whole modern narrative of bullshit we're force fed.

      This is nothing new. Just check the headlines here in /. in the last 20 years and you will find the same pattern.

      Anything bad from Russia/China/etc, it will be “Russian xxxx did xxx”, while American/Israeli did the same thing, it would be “[specific group] did xxx”. This case being a perfect example, if NSO were Russian, the headline would surely be “... Patches a Russian exploit ...”

      Always associate Russia/China with bad acts, while avoiding the same for the US and all

  • "It's well understood in the security community that Android has a malware problem that iOS has succeeded in staying ahead of."
  • Apple may have rushed this out too quickly. I just had the update fail on me with an unhelpful error message. I'm trying again but if that fails, I'll have to fall back to a restore. Caveat emptor.

Slashdot Top Deals

"What man has done, man can aspire to do." -- Jerry Pournelle, about space flight

Close