SecureMac, Inc.

Checklist 240: Updating Apple Gear and Sizing Up Pegasus

July 23, 2021

Pegasus spyware: NSO Group niche threat or something for everyone to worry about? Plus, Apple’s July security fixes and more!

Checklist 240: Updating Apple Gear and Sizing Up Pegasus

On this week’s Checklist, we’ll cover the latest round of Apple updates, and we talk about whether or not NSO Group’s Pegasus spyware is something everyday iOS users should worry about.

Apple July updates (features)

Apple has updated all of its OSes again. The updates were issued as:

  • iOS 14.7
  • iPadOS 14.7
  • macOS 11.5
  • tvOS 14.7
  • watchOS 7.6

There were also security updates for older macOS versions (Catalina and Mojave), as well as a Safari update for older Macs (Safari 14.1.2).

In terms of features, probably the biggest news was the introduction of iOS support for the MagSafe Battery Pack. This was expected. Apple has been taking orders for the iPhone 12 accessory since last week, and the first shipments are set to arrive to customers on July 19. 

Other iOS features of note include:

  • Apple Card Family support, which allows families to combine credit limits and share a single account
  • HomePod controlled timers in the Home app
  • Air Quality info in Weather and Maps for the following countries: Canada, France, Italy, Netherlands, South Korea, and Spain

There were also some welcome tweaks for the iPad:

  • A fix for a display issue affecting Braille users (Braille displays were showing invalid information when using Mail)
  • Addressing the missing Share Playlist menu option in Apple Music
  • Fixing an audio issue that was affecting users of USB-C to 3.5 mm headphone jack adapters.

As far as macOS was concerned, there were no huge changes in macOS 11.5. The update did, however, address a couple of bugs that had been affecting some users:

  • An issue where Music was not updating play history data correctly
  • An issue preventing M1 Mac users from using smart cards

Apple July updates (security)

In addition to new features and UX improvements, there were also a number of security fixes as well. 

Maybe the most interesting of the iOS/iPadOS security patches addressed a curious vulnerability in wireless network naming. It seems that if a user joined a Wi-Fi network named “%p%s%s%s%s%n”, their device’s Wi-Fi could be permanently disabled. As of this update, that vulnerability has been patched (though we still wouldn’t recommend joining weird Wi-Fi networks!).

In addition to this, iOS 14.7 and iPadOS 14.7 fix serious issues with Apple’s audio, image, and font processing frameworks. Apple says that these bugs could have led to code execution on a device, or the bypass of certain system security features in some cases.

On the Mac side, macOS 11.5 addresses some pretty serious Big Sur security issues as well, including:

  • An AMD Kernel bug that could have permitted a malicious app to run code with kernel privileges
  • A couple of Intel Graphics Driver flaws that could have resulted in crashes or code execution
  • An issue with Kext Management that could have let an app override a user’s Privacy preferences

In addition to all of that, there were also fixes for several WebKit issues. We’ve talked about WebKit before: It’s the browser engine that powers just about everything Apple makes that can access the web. Unsurprisingly, these WebKit fixes showed up in every single OS update this time around. That means all of the ones already mentioned, plus the watchOS, tvOS, and older macOS version updates.

Apple recommends that everyone update their OSes without delay.

Pegasus spyware: everybody’s problem

The big Apple security story this week had nothing to do with updates: It was all about Pegasus spyware. The commercial spyware product, made by an Israeli firm called NSO Group, is sold to law enforcement and intelligence agencies around the world.

Pegasus is a serious security and privacy threat. If it gets onto a mobile device, it can exfiltrate message data, photos, and emails. It can also be used to turn on the microphone and record calls.

NSO Group says that their product is only intended to help the authorities combat crime and terrorism. But critics of NSO Group have long claimed that authoritarian regimes use the spyware as a tool of repression. Over the weekend, The Guardian published a joint investigation into NSO group’s Pegasus spyware that lent credence to that accusation. The journalists say that:

Human rights activists, journalists and lawyers across the world have been targeted by authoritarian governments using hacking software sold by the Israeli surveillance company NSO Group.

The authors of the report came to this conclusion after analyzing what they call “a massive data leak” of over 50,000 phone numbers. Those phone numbers are thought to belong to people who are “of interest” to the governments that purchase Pegasus spyware.

According to the report, the numbers include hundreds of “journalists … business executives, religious figures, academics, NGO employees, union officials and government officials, including cabinet ministers, presidents and prime ministers”. 

So why is this an Apple security story? Because as it turns out, iPhone users are not immune to Pegasus. The spyware can infect an iPhone in several ways — including through 0-click iMessage exploits and possibly via the Apple Music app as well.

For its part, Apple has issued a statement condemning cyberattacks on journalists and activists, and calling the iPhone “the most secure consumer mobile device on the market”. The statement goes on to offer some reassurances to the general public. Apple points out that tools like Pegasus are typically used in targeted attacks only. As such, Apple says, they “are not a threat to the overwhelming majority of our users”.

In fairness to Apple, that’s likely true in a strict sense. But attacks on journalists and activists have a ripple effect — one that goes far beyond the individuals targeted. A journalist with a compromised iPhone, for example, could have their sources put in danger. And if an activist is stopped from working for the betterment of their society, then that affects everyone. 

In other words, just because you don’t have to worry about NSO Group’s Pegasus spyware on your own iOS device … doesn’t mean you don’t have to worry about it.

If you’d like to learn more about security and privacy issues while you wait for the next episode of The Checklist, be sure to stop by our archives. And if you have a question that you’d like answered on a future show, please drop us a line!

Get the latest security news and deals