Apple Discovers Security Vulnerability in Majority of its Devices

News about emergency updates from Apple to address the Pegasus spyware threat is spreading all over the Internet. The exploit was captured by spyware researchers at the University of Toronto’s Citizen Lab.

Pegasus is a powerful piece of malware designed to spy on users. In the case of an attack, a user’s device accepts and processes an unusually compiled file, which interferes with the state of the system and allows hackers to run arbitrary code.

It is publicly known that Pegasus was developed by NSO Group, a firm that creates software for the intelligence services of various countries. The firm allegedly purchases zero-day exploits, which mean executable code capable of exploiting system vulnerabilities, and adds value by developing methods and strategies how to use it. Thus, the customer receives an executable code and action plan. This would be the expected business model for a vendor of such “solutions”, since detecting zero-day vulnerabilities and developing ways of exploiting them by yourself would cost a fortune and be too resource-intensive.

On September 13, Apple released an unscheduled update that fixed some vulnerabilities, although the Pegasus exploit was not mentioned. Nevertheless, the company claims to have provided a fix for “Processing maliciously crafted .pdf file that may lead to arbitrary code execution”, with indirect evidence suggesting a correlation with the exploit reported by Citizen Lab researchers.

Although iOS is considered to be much more secure than Android, it is still exposed to zero-day threats. However, descriptions of these are only available to a chosen few, and exploits cost far more than those for Android.

Discovering this exploit represents mixed news for average users. While the detection of the dangerous vulnerability is of concern, the fact it is no longer a threat is reassuring. Now, it is important to install the most recent security updates and remember that we may be exposed to other, as yet undetected, zero-day exploits. Developers around the globe are therefore doing their best to minimize the risk of such vulnerabilities.