Apple Releases iOS 14.8 and iPadOS 14.8 security update to close Pegasus spyware flaw

Pegasus Zero-click iPhone, iPad, Mac vulnerability: Apple issued emergency software updates for a critical vulnerability in its products on Monday after security researchers uncovered a flaw that allows highly invasive spyware from Israel’s NSO Group to infect anyone’s iPhone, iPad, Apple Watch or Mac computer without any click.

What is there in the iOS 14.8 and iPadOS 14.8 update?

Apple on September 13, 2021 released security updates for its iPhone, iPad, Apple Watch and Mac computers that close a vulnerability reportedly exploited by spyware built by NSO Group, an Israeli security company. The flaw allows highly invasive spyware from Israel’s NSO Group to infect anyone’s iPhone, iPad, Apple Watch or Mac computer without so much as a click. Apple’s security team had worked around the clock to develop a fix since Tuesday, after researchers at Citizen Lab, a cybersecurity watchdog organization at the University of Toronto, discovered that a Saudi activist’s iPhone had been infected with an advanced form of spyware from NSO. Apple says this update is purely about security, stating in a support document that it’s here to fix CoreGraphics and WebKit issues, both of which could lead to arbitrary code execution. In the case of the WebKit issue, there’s evidence that it’s important to update now. Apple says: “Apple is aware of a report that this issue may have been actively exploited.” Apple also released WatchOS 7.6.2, MacOS Big Sur 11.6 as well as a security update for MacOS Catalina to address the vulnerability.

apple-ios-14.8-pegasus-security-update-size

What this Pegasus spyware can do?

“This spyware can do everything an iPhone user can do on their device and more,” said John Scott-Railton, a senior researcher at Citizen Lab, who teamed up with Bill Marczak, a senior research fellow at Citizen Lab, on the finding.

The spyware, called Pegasus, used a novel method to invisibly infect Apple devices without victims’ knowledge. Known as a “zero click remote exploit,” it is considered the Holy Grail of surveillance because it allows governments, mercenaries and criminals to secretly break into someone’s device without tipping the victim off. Using the zero-click infection method, Pegasus can turn on a user’s camera and microphone, record messages, texts, emails, calls — even those sent via encrypted messaging and phone apps like Signal — and send them back to NSO’s clients at governments around the world. The discovery means that more than 1.65 billion Apple products in use worldwide have been vulnerable to NSO’s spyware since at least March.

NSO released a statement late Monday that didn't directly address Apple's update but said it "will continue to provide intelligence and law enforcement agencies around the world with life saving technologies to fight terror and crime." The company, which licenses surveillance software to government agencies, says its Pegasus software helps authorities combat criminals and terrorists who take advantage of encryption technology to go "dark." Pegasus runs secretly on smartphones, providing insight into what their owners are doing.

How to get iOS 14.8 and iPadOS 14.8 update?

Updating is easy. Simply go to the Settings app on the iPhone (or iPad) and choose General, then Software Update. Then it’s Download and finally, Install. This is a small update, and won’t take long to install.

This update is for compatible iPhones, with iPadOS 14.7 which is simultaneously released for compatible iPads. Compatibility for the phones goes back to the iPhone 6s, including iPhone SE (both the first and current editions), plus the seventh-generation iPod touch.