- Apple has finally published the details around the 37 flaws it addressed in the latest update for the iOS.
- There’s no mention of Pegasus or any confirmation around actively exploited bugs, but the set looks interesting nonetheless.
- iPadOS, macOS, tvOS, and watchOS have also gotten their respective patches fixing several issues.
Following the news about the ‘NSO Group’ data leak that gave a team of journalists access to huge revelations around how the “Pegasus” spyware is deployed and at what scale, Apple pushed out iOS 14.7 obviously hurriedly, not providing the usual details about what exactly was fixed with it. Many saw this as a clear sign of Apple addressing zero-day vulnerabilities exploited by NSO’s tool, but no confirmation came out even after days of waiting. Now, finally, Apple has released the details along with the macOS and iPadOS updates that usually come out all together in one go.
According to the detailed page, iOS and iPadOS 14.7 address no fewer than 37 vulnerabilities, among which we see four RCEs (remote code execution) on Safari’s WebKit engine, which could be linked to the spyware deployment. The reporting of three of these flaws is attributed to Google’s Project Zero team, and they all rely upon taking the victim to maliciously crafted web content that may lead to arbitrary code execution. Oftentimes, these bugs are being exploited 'clicklessly,' so merely leading the target to visit a particular website would be enough.
Even now, with the details out, Apple doesn’t mention either Pegasus or anything about the possibility of these bugs having been exploited in the wild, so nothing is certain. Also, there’s no fix for an interaction-less attack via the iMessage, as some spyware experts speculated a few days ago, so there’s either no problem there, or Apple is going to address it with a subsequent update, possibly the 14.7.1. Whatever the case, 37 flaws make up for a long list, so updating immediately should be a priority for all iOS users.
The same goes for macOS users who got “Big Sur” 11.5 today, with 36 fixes and the same four on the WebKit engine. Along with these, Apple also released tvOS 14.7 and watchOS 7.6, both also carrying several security fixes.