Apple today has rolled out a series of firmware updates for all supported devices under its ecosystem. According to the respective support pages published on the company’s website, these contain security-based fixes for the CoreGraphics and WebKit vulnerabilities that potentially allows for a “zero-click” installation of malicious software onto affected Apple products.
Malware that exploits these vulnerabilities are capable of infecting a device without requiring the victim to do anything, hence the term “zero-click”. One such example of this is the Pegasus hacking platform, a spyware tool developed by an Israeli firm known as the NSO Group.
If both of these names sound familiar, this is because they have been associated with several attacks on platforms including Apple’s iMessage, as well as Facebook’s encryption-based private messaging service WhatsApp. The Pegasus tool is alleged to be capable of committing various privacy breaching acts such as compromising user data and passwords, as well as remote activation of a device’s onboard microphone or camera.
Security researchers at Citizen Lab reports that NSO may have likely been relying on the CoreGraphics loophole – an exploit also first discovered by the research group – to gain access and install the Pegasus spyware onto a target’s device. Apple credited Citizen Lab for the crucial discovery in the patch notes that are included together with the series of recently released firmware updates.
Meanwhile, Apple notes that this particular WebKit vulnerability addressed in the new update was discovered by an anonymous researcher. Prior to the fix, the exploit is reported to have affected devices under the company’s iOS and macOS Big Sur platforms. For the uninitiated, WebKit is the web browser engine used by various Apple first party applications such as Safari, Mail, and App Store. This isn’t the first time a vulnerability was discovered in the engine, as the company has addressed three other similar issues back in March, May and July of this year.
Apple users are highly advised to update their devices with today’s newly released firmware upgrades. These latest versions include iOS 14.8 for the 7th gen iPod touch and iPhone models from 6s onwards; iPadOS 14.8 for all iPad Pro models, iPad Air 2 onwards, iPad 5th gen onwards, and iPad mini 4 onwards; macOS Big Sur 11.6 for all supported Mac devices; and finally, watchOS 7.6.2 for Apple Watch Series 3 onwards.