UNITED STATES NEWS

Apple fixes security hole reportedly used to hack an iPhone

Sep 13, 2021, 6:00 PM | Updated: Sep 15, 2021, 2:04 pm

BOSTON (AP) — Apple released a critical software patch to fix a security vulnerability that researchers said could allow hackers to directly infect iPhones and other Apple devices without any user action.

Researchers at the University of Toronto’s Citizen Lab said the security issue was exploited to plant spyware on a Saudi activist’s iPhone. They said they had high confidence that the world’s most infamous hacker-for-hire firm, Israel’s NSO Group, was behind that attack.

The previously unknown vulnerability affected all major Apple devices — iPhones, Macs and Apple Watches, the researchers said. NSO Group responded with a one-sentence statement saying it will continue providing tools for fighting “terror and crime.”

It was the first time a so-called “zero-click” exploit — one that doesn’t require users to click on suspect links or open infected files — has been caught and analyzed, the researchers said. They found the malicious code on Sept. 7 and immediately alerted Apple. The targeted activist asked to remain anonymous, they said.

“We’re not necessarily attributing this attack to the Saudi government,” said researcher Bill Marczak.

Citizen Lab previously found evidence of zero-click exploits being used to hack into the phones of al-Jazeera journalists and other targets, but hasn’t previously seen the malicious code itself.

Although security experts say that average iPhone, iPad and Mac user generally need not worry — such attacks tend to be limited to specific targets — the discovery still alarmed security professionals.

Malicious image files were transmitted to the activist’s phone via the iMessage instant-messaging app before it was hacked with NSO’s Pegasus spyware, which opens a phone to eavesdropping and remote data theft, Marczak said. It was discovered during a second examination of the phone, which forensics showed had been infected in March. He said the malicious file causes devices to crash.

Citizen Lab says the case reveals, once again, that NSO Group is allowing its spyware to be used against ordinary civilians.

In a blog post, Apple said it was issuing a security update for iPhones and iPads because a “maliciously crafted” PDF file could lead to them being hacked. It said it was aware that the issue may have been exploited and cited Citizen Lab.

In a subsequent statement, Apple security chief Ivan Krstic commended Citizen Lab and said such exploits “are not a threat to the overwhelming majority of our users.” He noted, as he has in the past, that such exploits typically cost millions of dollars to develop and often have a short shelf life. Apple didn’t respond to questions regarding whether this was the first time it had patched a zero-click vulnerability.

Users should get alerts on their iPhones prompting them to update the phone’s iOS software. Those who want to jump the gun can go into the phone settings, click “General” then “Software Update,” and trigger the patch update directly.

Citizen Lab called the iMessage exploit FORCEDENTRY and said it was effective against Apple iOS, MacOS and WatchOS devices. It urged people to immediately install security updates.

Researcher John Scott-Railton said the news highlights the importance of securing popular messaging apps against such attacks. “Chat apps are increasingly becoming a major way that nation-states and mercenary hackers are gaining access to phones,” he said. “And it’s why it’s so important that companies focus on making sure that they are as locked down as possible.”

The researchers said it also undermines NSO Group’s claims that it only sells its spyware to law enforcement officials for use against criminals and terrorists and audits its customers to ensure it’s not abused.

“If Pegasus was only being used against criminals and terrorists, we never would have found this stuff,” said Marczak.

Facebook’s WhatsApp was also allegedly targeted by an NSO zero-click exploit. In October 2019, Facebook sued NSO in U.S. federal court for allegedly targeting some 1,400 users of the encrypted messaging service with spyware.

In July, a global media consortium published a damning report on how clients of NSO Group have been spying for years on journalists, human rights activists, political dissidents, and people close to them, with the hacker-for-hire group directly involved in the targeting. Amnesty International said it confirmed 37 successful Pegasus infections based on a leaked targeting list whose origin was not disclosed.

One case involved the fiancee of Washington Post journalist Jamal Khashoggi just four days after he was killed in the Saudi Consulate in Istanbul in 2018. The CIA attributed the murder to the Saudi government.

The recent revelations also prompted calls for an investigation into whether Hungary’s right-wing government used Pegasus to secretly monitor critical journalists, lawyers and business figures. India’s parliament also erupted in protests as opposition lawmakers accused Prime Minister Narendra Modi’s government of using NSO Groups’ product to spy on political opponents and others.

France is also trying to get to the bottom of allegations that President Emmanuel Macron and members of his government may have been targeted in 2019 by an unidentified Moroccan security service using Pegasus. Morocco, a key French ally, denied those reports and is taking legal action to counter allegations implicating the North African kingdom in the spyware scandal.

Copyright © The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.

Lifetime Windows & Doors

United States News

Associated Press

US Virgin Islands reach $105M settlement with Epstein estate

SAN JUAN, Puerto Rico (AP) — The U.S. Virgin Islands announced Wednesday that it reached a settlement of more than $105 million in a sex trafficking case against the estate of financier Jeffrey Epstein. The settlement ends a nearly three-year legal saga for officials in the U.S. territory, which sought to hold Epstein accountable after […]
17 hours ago
FILE - The Food and Drug Administration building is seen on Dec. 10, 2020, in Silver Spring, Md. U....
Associated Press

FDA clears 1st fecal transplant treatment for gut infection

WASHINGTON (AP) — U.S. officials have approved the first pharmaceutical-grade version of the so-called fecal transplant procedures that doctors have increasingly used against hard-to-treat intestinal infections. The Food and Drug Administration on Wednesday approved Rebyota for adults who have trouble fighting off infections with Clostridium difficile, commonly referred to as C. diff, a bacteria that […]
17 hours ago
In this photo provided by Larry Petterborg, a Boeing B-17 Flying Fortress and a Bell P-63 Kingcobra...
Associated Press

Report: No altitude advice before Dallas air show crash

DALLAS (AP) — Just before a midair collision that killed six at a Dallas air show, a group of historic fighter planes were told to fly ahead of a formation of bombers without any prior plan for coordinating altitude, according to a federal report released Wednesday. The report did not give a cause of the […]
17 hours ago
FILE -Florida quarterback Jalen Kitna (11) warms up before an NCAA college football game against Ea...
Associated Press

Florida QB Kitna charged with possessing child pornography

GAINESVILLE, Fla. (AP) — Florida backup quarterback Jalen Kitna, the son of retired NFL quarterback Jon Kitna, was arrested Wednesday and charged with two counts of distribution of child exploitation material and three counts of possession of child pornography. Gainesville police said the 19-year-old Kitna shared the images via a social media platform. Kitna was […]
17 hours ago
A table is set during a media preview for the State Dinner with President Joe Biden and French Pres...
Associated Press

American cheese on White House state dinner menu for France

WASHINGTON (AP) — Maine lobster poached in butter, beef with shallot marmalade and an American cheese trio will be served when French President Emmanuel Macron takes his seat as the guest of honor at a red-white-and-blue themed White House state dinner, the first for President Joe Biden. Dessert will be orange chiffon cake, roasted pears […]
17 hours ago
Associated Press

Atlantic hurricane season ends with average number of storms

MIAMI (AP) — An Atlantic hurricane season with 14 named storms officially ended Wednesday, though residents of Florida and Puerto Rico will continue to deal with damage caused by Hurricanes Ian, Nicole and Fiona. The 2022 period had an unusually calm first half but made up for that with the three destructive hurricanes in the […]
17 hours ago

Sponsored Articles

(Photo via MLB's Arizona Fall League / Twitter)...
Arizona Fall League

Top prospects to watch at this year’s Arizona Fall League

One of the most exciting elements of the MLB offseason is the Arizona Fall League, which began its 30th season Monday.
...
Children’s Cancer Network

Children’s Cancer Network celebrates cancer-fighting superheroes, raises funds during September’s Childhood Cancer Awareness Month

Jace Hyduchak was like most other kids in his kindergarten class: He loved to play basketball, dress up like his favorite superheroes and jump as high as his pint-sized body would take him on his backyard trampoline.
...
Day & Night Air Conditioning, Heating and Plumbing

Here are 4 signs the HVAC unit needs to be replaced

Pool renovations and kitchen upgrades may seem enticing, but at the forefront of these investments arguably should be what residents use the most. In a state where summertime is sweltering, access to a functioning HVAC unit can be critical.
Apple fixes security hole reportedly used to hack an iPhone