Apple Patches Major iPhone Bug linked to Gov't Spying

Apple has released a patch for a potentially serious iPhone bug. It's worth double-checking the patch was installed automatically and forcing it to do so if it has not.

The fix comes in version 15.0.2 of iOS and patches an actively exploited zero-day bug. That means attackers not only know about the security hole but were already using it before Apple could release a fix. In other words, Apple had a "zero days" head start in the battle between patching and hacking.

The bug involves memory corruption and means a correctly-targeted attack could allow malware to access parts of the memory that should be off-limits. That would allow execution of arbitrary code with kernel privileges, a particularly dangerous combination.

Kernel Attack Extremely Powerful

Arbitrary code effectively means an attacker can issue any command they like. Meanwhile, the kernel is the part of the operating system that connects applications with the various hardware components of a device, including the processor and memory.

For a computing device to work properly, the kernel needs constant unrestricted access to everything. That means a successful attacker using this bug would effectively have complete control of the device. In particular, they could install almost any malware they wanted.

While Apple isn't revealing much about the bug (to avoid tipping off even more would-be attackers), the rumor mill has linked it to Pegasus. That's an application produced by an Israeli company called NSO Group that many have labeled malware. (Source: theregister.com)

Pegasus is marketed to governments around the world and, depending on interpretation, used for cyber-surveillance of criminals or to spy on political opponents and human rights activists.

Manual Update Simple To Launch

Most iPhone users should have their device set to automatically install updates, including security patches. Given the severity of this security bug, it may be worth manually forcing an update if that hasn't happened yet.

On most devices this involves opening the Settings app, tapping on General and then tapping on Software Update. This will show which version of iOS is installed and whether an update is available. If the phone isn't yet on 15.0.2 there should be an option to manually start the update. (Source: apple.com)

What's Your Opinion?

Does this news surprise you? Do you generally consider Apple products more secure than Android or Windows devices? Should governments deal with surveillance companies whose tactics could put the general public at risk of hacking?