iOS 14.7.1 Patches Zero-Day Exploit Used by NSO’s Pegasus Spyware

BY Rajesh Pandey

Published 27 Jul 2021

iOS 14.7 what's new

Apple yesterday released the iOS 14.7.1 and iPadOS 14.7.1 update for all compatible iPhones and iPads with some bug fixes in tow. Seemingly, it looks like Apple patched a major zero-click vulnerability with the latest iOS release.

Apart from iOS 14.7.1 and iPadOS 14.7.1, Apple also released the macOS 11.5.1 update with some important and urgent security fixes.

The Register speculates that the CVE-2021-30807 security fix in iOS 14.7.1 patches the exploit used by NSO’s Pegasus to snoop on journalists, politicians, and others.

CVE-2021-30807, credited to an anonymous researcher, has been addressed by undisclosed but purportedly improved memory handling code.

“An application may be able to execute arbitrary code with kernel privileges,” the iDevice maker said in one of its duplicative advisories. “Apple is aware of a report that this issue may have been actively exploited.”

Apple did not, however, say who might be involved in the exploitation of this bug. Nor did the company respond to a query about whether the bug has been exploited by NSO Group’s Pegasus surveillance software.

The exploit was being used in the wild to install spyware on iPhones through iMessage. Apple has claimed that the iMessage zero-click exploit used in the Pegasus hack is “not a threat” to most iPhone users out there.

Security researcher Saar Amar claims to have first discovered this security exploit in March. He has published a detailed write-up about the bug and his findings. Apple has not confirmed whether the patched security exploit in iOS 14.7.1 was used by NSO or not. Whatever the case might be, if you own an iPhone, iPad, or Mac, it is highly recommended that you update to the latest OS update for your device right away.

[Via The Register]