SecureMac, Inc.

Checklist 247: Grounding Pegasus

September 17, 2021

Apple releases security updates for all major OSes in an effort to combat Pegasus spyware. Plus: Has Apple really given up on privacy?

Checklist 247: Grounding Pegasus

This week on The Checklist:

A critical round of security updates

Apple has released a round of software updates aimed at patching the vulnerabilities that are being exploited by NSO Group’s Pegasus spyware. The company issued the updates on Monday as iOS 14.8, iPadOS 14.8, macOS Big Sur 11.6, and watchOS 7.6.2.

According to a piece at iDownloadBlog, the updates are aimed at fixing two bugs in Apple’s software:

One is present in the CoreGraphics subsystem that provides lightweight 2D rendering while the other plagues the WebKit layout engine, used by the Safari browser and other system features that want to render web content.

The researchers at Citizen Lab who discovered the CoreGraphics vulnerability say that it has been used in zero-click attacks by NSO Group’s Pegasus spyware. We covered this story in detail in Checklist 240: Updating Apple Gear and Sizing Up Pegasus.

You may be wondering why Apple bothered releasing a round of updates when it’s already planning to release iOS 15, iPadOS 15, and more in just another week. The answer has to do with the uniquely serious nature of the threat posed by Pegasus spyware, which, according to the reporters at The Guardian who broke the story, is able to “extract messages, photos and emails, record calls and secretly activate microphones”. Obviously if there’s ongoing exploitation happening on iPhones all around the world, Apple wants to put a stop to it as soon as possible. 

In addition, they definitely needed to release macOS Big Sur 11.6, since Monterey isn’t coming until later this fall — and since even then it won’t run on all Macs. This is probably also why the company released Security Update 2021-005 Catalina and Safari 14.1.2, which will help users of pre-Catalina Macs. Both of those updates address one or both of the vulnerabilities mentioned above.

Needless to say, this is one round of updates where you don’t want to delay. We recommend updating all of your devices as soon as possible.

One missing thing?

Apple’s California Streaming event introduced a number of new products and features. They covered a lot of ground during the 80-minute event, from Apple Fitness+ offerings to updated iPads, from the iPhone 13 lineup to chips, cameras, and video production. But one topic was conspicuously absent from the event, at least according to some observers: privacy. 

In fairness, Apple did mention privacy, but only for about a minute or so — and as the folks at CNET point out, they didn’t mention Pegasus spyware or the controversy over on-device CSAM scanning. Elsewhere online, some folks were suggesting that the scant attention paid to privacy on Tuesday means that Apple simply doesn’t care about the issue anymore.

However, although privacy wasn’t front and center at the event, this doesn’t mean that it’s no longer a priority for Apple. After all, the new OSes coming on September 20 are packed with privacy features, as we discussed on Checklist 234: Privacy, Security, and WWDC with August Trometer.

To recap, here’s what users can expect next week from Apple in terms of privacy enhancements:

  • Private Relay, a VPN-like feature that will prevent your ISP from knowing what you’re doing online and DNS hosts from knowing your location.
  • Hide My Mail, a feature that allows the user to create unlimited “burner” email accounts that forward to their inbox but can be deleted at any time.
  • Pixel tracking prevention measures in Safari that will mask users’ IP addresses to stop trackers from profiling them
  • More granular location permissions, including the ability for users to share their location with an app just once, without granting further location access during the session.

And of course, there is the upcoming privacy feature that Apple did mention at the event this week: on-device Siri requests. Starting soon, Siri will be able to handle some requests without having to send data to Apple’s servers.

In short, while Apple probably could have said more about privacy at their event, and while we’re certainly open to thoughtful criticism of Apple on privacy matters, it’s quite an exaggeration to say that they’ve given up on the issue altogether! 

We love to hear from our listeners! If you have a comment, a question, or a suggestion for a future show topic, please write to us and let us know. And while you’re waiting for the next Checklist, be sure to check out our archives, where you can find full audio and notes for every episode of the podcast we’ve ever done.

Join our mailing list for the latest security news and deals