Apple patches security flaw that leaves users vulnerable to spyware

NSO’s Pegasus was in July linked to phones belonging to dozens of journalists, human rights activists and politicians, according to an investigation by a consortium of newspapers. Civil rights activists say the software – which requires an Israeli government licence for export because it is viewed as a weapon – can be used for unlawful surveillance, not just by certain governments to target terrorists and criminals.

In a statement, the company said: “NSO Group will continue to provide intelligence and law enforcement agencies around the world with life-saving technologies to fight terror and crime.”

Chat apps a weak link

Citizen Lab said its discovery of another previously unknown vulnerability on Apple hardware “illustrates that companies … are facilitating ‘despotism-as-a-service’ for unaccountable government security agencies. Regulation of this growing, highly profitable, and harmful marketplace is desperately needed.”

Apple said it was issuing the patch because “processing a maliciously crafted PDF may lead to arbitrary code execution”. It said it was “aware of a report that this issue may have been actively exploited”.

Separately, Ivan Krstic, head of security engineering and architecture at Apple, said in a statement that “attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals”, adding that they were “not a threat to the overwhelming majority of our users”.

Nevertheless, the revelation could further dent the image of iOS as a more secure operating system than Android. Apple has long emphasised that no system can be 100 per cent secure from hackers.

Citizen Lab said chat apps in particular had become “a major target for the most sophisticated threat actors, including nation-state espionage operations and the mercenary spyware companies that service them”.

Financial Times