Apple Inc on Monday said it patched a security flaw in its Messages app after security researchers determined that Israel-based NSO Group used it to “exploit and infect” the US firm’s latest devices with spyware.
The flaw, disclosed on Monday by Citizen Lab, allowed a hacker using NSO’s Pegasus malware to gain access to a device owned by an unnamed Saudi Arabian rights advocate, security researchers said.
Apple said the flaw could be exploited if a user on a vulnerable device received a “maliciously crafted” PDF file.
The flaw was a “zero-day” vulnerability, a term that refers to recently discovered bugs that hackers can exploit and have not yet been patched.
People did not have to click on the malicious file for it to infect their devices, something known as a “zero-click” exploit, said a report released by Citizen Lab, a cyberresearch unit at the University of Toronto.
“What this highlights is that chat apps are the soft underbelly of device security,” Citizen Lab senior researcher John Scott-Railton wrote in a text message. “They are ubiquitous, which makes them really attractive, so they are an increasingly common target for attackers.”
“They need to be a major priority for security,” Scott-Railton said. “Narrowing the attack surface from chat apps will go a long way toward making all of our devices more secure.”
Apple is patching the bug on the iPhone, iPad, Mac and Apple Watch via iOS 14.8, iPadOS 14.8, macOS 11.6 and watchOS 7.6.2 software updates. The software releases came the day before a highly anticipated Apple product launch event yesterday.
The company was expected to announce the release date for iOS 15, Apple’s next major software update, which is to contain additional security protections.
“After identifying the vulnerability used by this exploit for iMessage, Apple rapidly developed and deployed a fix in iOS 14.8 to protect our users,” Apple head of security engineering and architecture Ivan Krsti said in a statement. “We’d like to commend Citizen Lab for successfully completing the very difficult work of obtaining a sample of this exploit so we could develop this fix quickly.”
Attacks like this one are “highly sophisticated, cost millions of dollars to develop, often have a short shelf life and are used to target specific individuals,” Krsti said. “While that means they are not a threat to the overwhelming majority of our users, we continue to work tirelessly to defend all our customers, and we are constantly adding new protections for their devices and data.”
The NSO Group has been the subject of repeated criticism by Citizen Lab and other organizations after its spyware has been discovered on the phones of rights advocates and journalists critical of repressive regimes.
In its report on Monday, Citizen Lab accused NSO Group of facilitating “despotism-as-a-service for unaccountable government security agencies” and argued that regulation is “desperately needed.”
NSO Group has insisted that the spyware is intended to be used to fight terrorism and crime, not to aid in human rights abuses.
In its own statement, NSO Group said that the company “will continue to provide intelligence and law enforcement agencies around the world with life-saving technologies.”
In June, the company published its first Transparency and Responsibility Report, which defended its technology and efforts to curb misuse by customers.
The White House has raised concerns about NSO Group with senior Israeli officials, the Washington Post reported.
As Google expands its footprint in Taiwan, it plans to recruit software and hardware talent for its Google Nest smart device team, a chip development team, and teams to support its Pixel and Chromebook products, Google Taiwan said yesterday. Supply chain management talent will also be in demand, the company said at an online event. “There will always be openings for software engineers, hardware engineers and project managers,” Google Taiwan human resources head Vanessa Lu (呂亞樵) said. “The strength of the Taiwanese industry is very clear,” Lu said, adding that the company would continue to invest in Taiwan. Lu also doused some
Apple Inc’s iPhone 13 debut was met with a stock slump on Tuesday, keeping with a tradition of poor share price performance on the day new devices are unveiled. Shares of the technology giant sank after Apple executives, including chief executive officer Tim Cook, presented the new lineup of phones and other devices. The stock fell 1 percent to close at US$148.12 in New York trading. Prior to Tuesday, Apple’s shares fell on three-quarters of the days Apple unveiled new iPhones, data compiled by Bloomberg showed. Excluding Apple’s 8.3 percent rally on the day cofounder Steve Jobs announced the first iPhone in
BEATING SCHEDULE: Government plans are for nacelle assemblies to be totally local from next year, but Orsted Taiwan said that it was going ‘above and beyond’ Wind turbine manufacturer Siemens Gamesa Renewable Energy SA yesterday inaugurated Taiwan’s first nacelle assembly plant at the Port of Taichung, its first assembly facility for offshore nacelles outside Europe. Vice Premier Shen Jong-chin (沈榮津), a long-time champion of Taiwan’s ambitions to become a regional hub in the offshore wind farm industry, described the plant as a “milestone” at a ceremony at the plant. “The completion of Siemens Gamesa’s nacelle assembly plant is a milestone for the development of the offshore wind farm industry in Taiwan and a step toward localizing the supply chain,” Shen said. “This is only the beginning. My great hope
GOING PUBLIC: A merger with Poema Global Holdings should double Gogoro’s value to US$2.35 billion, as it rejects local markets to compete with global vehicle brands Gogoro Inc (睿能創意), an electric scooter maker and a battery swapping system provider, yesterday said it targets to launch an initial public offering (IPO) on Nasdaq via a merger with the special-purpose acquisition company (SPAC) Poema Global Holdings Corp in the first quarter next year. The combination would set Gogoro’s enterprise value at US$2.35 billion, more than doubling the US$1 billion value that defines a “unicorn.” The planned merger is also expected to provide proceeds of about US$550 million to Gogoro’s balance sheet, including an oversubscribed private investment in public equity (PIPE) of more than US$250 million and a trust of