back to article Apple emergency patches fix zero-click iMessage bug used to inject NSO spyware

Apple on Monday issued security patches for its mobile and desktop operating systems, and for its WebKit browser engine, to address two security flaws, at least one of which was, it is said, used by autocratic governments to spy on human rights advocates. A day before the iGiant is expected to announce the iPhone 13, it …

  1. Anonymous Coward
    Anonymous Coward

    Autocratic governments, that's a broad brush nowadays.

    Nicola Sturgeon should take note, there are going to autocratic governments much closer to home, wanting to know her plans for Scottish Independence, in the coming months. How often will GCHQ's defining words 'in the national interest', as in - in national (UK) interest be used to authorise device surveillance hacks, should be the question on everyone's mind, north of the border.

    London/Westminster has been controlling/manipulating Scotland for years, the idea they'll give that up, let democracy take its course, without using every software tool at their disposal, is somewhat doubtful. Underhand use of digital technologies is here to stay. After all, it's now ingrained in UK law, as 'lawful', and here lies the problem for Scotland.

    1. Dan 55 Silver badge

      Re: Autocratic governments, that's a broad brush nowadays.

      Have the downvoters forgotten about the #BorisBotArmy already?

      1. James12345

        Re: Autocratic governments, that's a broad brush nowadays.

        Lolz - the English have been subservient to the Scottish minority for centuries. This is yet another example of the greedy Scots trying to heap even more on to their plates.

    2. Mishak

      Re: Autocratic governments, that's a broad brush nowadays.

      Perhaps Scotland should remember why they originally joined the UK rather than complain about the "controlling Westminster Government" - especially when they want to leave it to join the even more controlling EU!

      Note: I have ties to Scotland and was against Brexit.

      1. Dan 55 Silver badge
        WTF?

        Re: Autocratic governments, that's a broad brush nowadays.

        The UK left the EU of its own accord on a 52%/48% (of those that voted) advisory referendum.

        The UK government said a few weeks ago that there would need to be sustained support in polls of over 60% over "a reasonably long period" for Scotland to have a referendum.

        So which is more controlling again? The UK isn't a union of equals (as it wasn't in 1707).

        1. Si 1

          Re: Autocratic governments, that's a broad brush nowadays.

          Scotland already had one referendum. How many are going to be held until you get the answer you want?

          1. Handy Plough

            Re: Autocratic governments, that's a broad brush nowadays.

            That was pre-Brexit. And the rules that applied then should be the same that Apply to Scottish independence. When are you Brexiteers going to learn, you cannot have your cake and eat it.

          2. albaleo

            Re: Autocratic governments, that's a broad brush nowadays.

            I guess as long as the people of Scotland continue to vote in a government that supports a referendum, we'll keep having them. Is that not what democracy's about?

            1. sabroni Silver badge

              Re: Is that not what democracy's about?

              Not to the "Brexit is the immutable will of the majority of the UK" crowd. They got the answer they needed, further democracy is just a waste of time.

        2. Stuart Castle Silver badge

          Re: Autocratic governments, that's a broad brush nowadays.

          I think the problem is that the whole remain campaign (and certainly David Cameron) assumed Remain would win. That's probably why Cameron didn't specify a limit for the referendum. He didn't think of it because he thought that once they got the referendum they were asking for, and lost, the Tory Eurosceptics would shut up.

          The problem is, they didn't lose, and even when the remain campaign started fighting, they fought with facts. The problem is facts, while often correct, don't engage people's emotions as much as a good bit of lying. Put simply, the leave campaign said "Stuff is broken, we will fix it" (as did Trump in 2016), which engages people's emotions far more than the simply stating that the other campaign is wrong, and things are generally OK, which is what the remain campaign did in this country and what Clinton did in the US. Even if you are telling the truth.

          1. Anonymous Coward
            Anonymous Coward

            Re: Autocratic governments, that's a broad brush nowadays.

            "£350 million a week for the NHS" on the side of a bus come to mind.

            So despite that extra cash, NI is going up???

      2. Anonymous Coward
        Anonymous Coward

        Re: Autocratic governments, that's a broad brush nowadays.

        I have a fair few Irish friends, and not one to date has ever said in conversation, the EU was controlling, funny that? If anything, the EU had Ireland's back during Brexit negotiations. Yet, bring up the topic of past British rule in Ireland, it is still a bitter pill to swallow.

        Westminster regards Scotland has always been very controlling. Try living in Scotland for a few years, just on a pure practical level, you'll soon realise Scotland shouldn't be run from Westminster.

        1. Beornfrith

          Re: Autocratic governments, that's a broad brush nowadays.

          Not only should Scotland arguably not be run from Westminster, as a Highlander I'd argue it shouldn't be run from the Central Belt either. Folk down there have hardly a clue about the practical side of life in the Highlands but talk as though we're all one happy family!

        2. slack0

          Re: Autocratic governments, that's a broad brush nowadays.

          "Ireland named as bank tax haven by Tax Observatory report " The Tax Observatory is an EU organization.

          1. anothercynic Silver badge

            Re: Autocratic governments, that's a broad brush nowadays.

            And? We're the biggest offshore tax haven and funny money laundrette off the coast of the EU. Channel Islands? Paleese! Gibraltar. Come on now. Cyprus? *gives you a pitying look*

            The City of Westminster and the City of London is where it's at. All those pretty modern highrises? *Not* owned by Brits, and likely not even *lived in* by Brits. No... they're all owned by random limited companies with controlling interests elsewhere, with again controlling interests elsewhere until at the end of the rabbit hole an Eurasian or African person with connections to <insert despotic tin pot "republic"> pops up.

            You might want to read about how much dirty money washes through the great laundrette that is the London property market in a year...

      3. MDMAok

        Re: Autocratic governments, that's a broad brush nowadays.

        We joined the UK because just enough of our parliament was bribed, and the English army moved into Edinburgh the next day. 'A parcel of Rogues' was how Burns described them. No we have not forgotten.

    3. redpola

      Re: Autocratic governments, that's a broad brush nowadays.

      “ there are going to autocratic governments much closer to home”

      … What?

      1. Anonymous Coward
        Anonymous Coward

        Re: Autocratic governments, that's a broad brush nowadays.

        “ there are going to autocratic governments much closer to home”

        There are going to be autocratic governments much closer to home....

    4. Anonymous Coward
      Anonymous Coward

      Re: Autocratic governments, that's a broad brush nowadays.

      As a Londoner, my biggest gripe about Scotland potentially leaving the UK is they won't take us with them. Please don't lump us in with the bell-ends in Westminster, they just work here.

      1. Def Silver badge

        Re: Autocratic governments, that's a broad brush nowadays.

        They'll take me though. My grandfather was Scottish. If they leave the UK and rejoin the EU, I should be able to get a passport that gives me back the freedoms Brexit took from me.

        1. Androgynous Cupboard Silver badge

          Re: Autocratic governments, that's a broad brush nowadays.

          I'm unable to read your post without shouting "Freedom" in my head like Mel Gibson in Braveheart.

    5. Handy Plough

      Re: Autocratic governments, that's a broad brush nowadays.

      20% of the Prime Minster of GB have not been English, with the majority of the 20% being Scottish (10). Were London/Westminster being 'manipulated' by Scotland while they were in power?

  2. redpawn Silver badge

    What could go wrong with browser lock-in?

    Old dead WebKit has killed mountains of iPhones and iPads. Apple leaves behind older kit and the browser just crashes on modern web pages. Forbid other browsers web engines and the ithings become useless. But also browser lock-in is vulnerability lock-in for up to date devices too. Any good AV for iOS anyone? Bask in Apple’s love.

    1. Mishak

      Re: What could go wrong with browser lock-in?

      Would those alternative browsers still be supported on ancient iOS platforms, or would they also now be vulnerable?

      1. Charlie Clark Silver badge

        Re: What could go wrong with browser lock-in?

        We'll never know because Apple won't let us try.

    2. IGotOut Silver badge

      Re: What could go wrong with browser lock-in?

      My 10 year old ipad has no issues and still gets security updates, so meh.

    3. Tessier-Ashpool

      Re: What could go wrong with browser lock-in?

      You could argue that letting any old browser rendering engine onto the iPhone would almost certainly lead to many more vulnerabilities. At least Apple WebKit vulnerabilities are addressed snappily.

  3. amanfromMars 1 Silver badge

    Who's leading Whom a Merry Dance up the Garden Path to Nowhere Worth Going?

    "Our latest discovery of yet another Apple zero day employed as part of NSO Group’s arsenal further illustrates that companies like NSO Group are facilitating 'despotism-as-a-service' for unaccountable government security agencies," Citizen Lab researchers said in a post on Monday. "Regulation of this growing, highly profitable, and harmful marketplace is desperately needed."

    What is the reason, in the case of the above not being fake news, the NSO Group and its backers are not proscribed as a terrorist organisation by the US and its allies? If it were a Russian or a Chinese or a Taliban or an emergent stateless organisation responsible for such activities, you can be sure Uncle Sam would be proclaiming that to all and sundry in a flash.

    1. Androgynous Cupboard Silver badge

      Re: Who's leading Whom a Merry Dance up the Garden Path to Nowhere Worth Going?

      My dear AMFM, the rules of the game are very clear.

      If you attack civilians with bombs or guns, you are a terrorist. If you make the bombs or guns used by the terrorist, you are a respected member of the "Defence" Industry. And so it is with spyware.

      NSO can, and are, using the same defence as Smith & Wesson, Remington, Glock and everyone else in this business. "We just make the tools". The odds of Uncle Sam, in particular, chastising arms manufacturers are lower than the surface temperature of your home planet.

      1. amanfromMars 1 Silver badge

        Re: Who's leading Whom a Merry Dance up the Garden Path to Nowhere Worth Going?

        Those are the old misguiding rules, Androgynous Cupboard. Play by them at your peril for the price exacted for not being bang up to date with regulatory changes is similar to that suffered by software and captivated clients running on ancient hardware with pathetically slow and limiting processors/chips/computers.

        Such an advance though is perfectly normal and fully to be expected and lauded for it confirms and announces progress has been made rather than it being thought hindered and/or halted.

      2. amanfromMars 1 Silver badge

        Re: Who's leading Whom a Merry Dance up the Garden Path to Nowhere Worth Going?

        Here is news of a General who recognises the catastrophic deficit in UKGBNI Command and Control of Future Fields and would welcome what is no less than absolutely necessary outside of military command help ....... https://www.nationaldefensemagazine.org/articles/2021/9/14/ai-edge-computing-top-priorities-for-uk-strategic-command

        However, the abiding difficulty one may experience is that the extremely strange and fundamentally novel nature of such as are now certainly the most powerful and energetic of leading theatres of executive and populous engagement results so oft in news of the necessary help being free available from home sources being dismissed thusly ......

        Thank you for expressing an interest in AWE 20. The paper sift has now been completed.

        During the paper sift stage of the project each product was marked on its own merits by a team of Military and MOD personnel as well as engineers from DE&S. It was decided as a panel that AWE 20 would not be the right trials arena to test and understand the technology. As I’m sure you can understand we have a limited time to investigate a wide range of products from a wide question set and as such the panel had to ensure that AWE was the most appropriate arena to test the products. Products such as yours will be passed onto relevant project teams / TDUs to ensure awareness of the product is raised and I would encourage you to attend the VIP day to gain further exposure for the technology.

        The clear and present danger then, should such be a persistent situation, is that leading technology is engaged and employed and developed further beyond the reach of home based teams by switched-on foreigners/Savvy SMARTR Competitors for such as may very well be new knowledge abhors a vacuum and will naturally migrate to where it is appreciated and where reward can be enjoyed.

        And anonymous dumb downvotes on the matters revealed here are indicative of the problem.

        1. Tail Up
          Pint

          Re: Who's leading Whom a... ...Path... ...Worth Going?

          howdy, Doc,

          the only problem of the English-speaking downvoters is that they think they can speak English as well as you do... well, your own version of it has a bundle of a mysterious, airy swifty touch of a surreal upgrade... they must read more Shakespearean writings, maybe. keep IT up, and thank you. the Dolphins are getting back. pity noone's to pray for letting me see them rush down the Waters kinda right out of the Blue. though i hope i will (-:

          no hennessy badge? alright, beer then

      3. Anonymous Coward
        Anonymous Coward

        Re: Who's leading Whom a Merry Dance up the Garden Path to Nowhere Worth Going?

        almost a good analogy but, (at least in the US) weapons makers don't sell to criminal (background check required - yes 3rd party sales (you to your friend)- can't be managed - for any product)

  4. fpx
    Devil

    This is where I'd rather see Apple engineers spend their image scanning powers on.

    Now that the vulnerability is known, it is easy to implement an algorithm that identifies malicious files exploiting this vulnerability. No need to train an AI or anything.

    Apple could run that algorithm on all images stored in the iCloud, and potentially also on handsets. This would immediately turn up all iThings that are or were compromised using this exploit today or months ago, and help us identify a lot of other NSO customers.

    1. Mishak

      iMazing

      Not tried it yet, but iMazing has added something to detect this class of attack in the backup images it creates.

    2. Anonymous Coward
      Anonymous Coward

      It's a good point to highlight. In effect, the same technology could be used to weed out those undermining the democratic process by attempting to inject such compromises, by joining up the metadata, but then that's not in line with Apple's own controlling methods at heart.

      But it shows how such scanning technology can be used for whatever Apple decide (or local law decides) is important in the scheme of things. In effect, it shows how easy it is to play God with such tools.

  5. s. pam
    Flame

    Apple screws the pre-iOD 13 customers

    there's TONS of customers with perfectly working iDevices on pre-13 versions now vulnerable and Apple is doing S.F.A. for them.

    so is it time to ditch Apple?

    1. Si 1

      Re: Apple screws the pre-iOD 13 customers

      Every device from the 6S onwards is compatible with iOS 14. If you're still using an iPhone 5S it came out in 2013 and the iPhone 6 was 2014. You can ditch Apple if you like but you'll likely find Android devices get even shorter support times (I'm still bitter Google dumped support for their Nexus 6 after just two years).

    2. Handy Plough

      Re: Apple screws the pre-iOD 13 customers

      Which accounts for 6.4% of devices running iOS. Devices that are 9 years old or less can run iOS 13. Where are you going to go with better support, Android? Don't make me laugh.

    3. Anonymous Coward
      Anonymous Coward

      Re: Apple screws the pre-iOD 13 customers

      Apple supports its iDevices for far longer than any Android manufacturer. Take the iPhone 6s as an example. Launched September 2015 and it's still on the list of phones compatible with the yet to be released iOS 15. That will see its service life extend well into 2023 and possibly beyond.

      Show me an equivalent Android device with an 8+ year life!

    4. IGotOut Silver badge

      Re: Apple screws the pre-iOD 13 customers

      Don't be so sure, you may find older devices still get the update. My old ipad mini 3 still gets critical ones from time to time.

      1. gryphon

        Re: Apple screws the pre-iOD 13 customers

        Indeed.

        I got an update on my old 6+ last month.

        1. Robert Carnegie Silver badge

          Re: Apple screws the pre-iOD 13 customers

          I keep saying here, we don't know when they will stop updating iOS 12 alongside 14. Unless it is this time.

  6. elsergiovolador Silver badge

    Point

    autocratic governments to spy on human rights advocates.

    Is there actually a point to say "autocratic" if all governments are?

  7. Anonymous Coward
    Anonymous Coward

    If Apple had really wanted to fix this years ago, since NSO started operating, they would have offered something like $10 million dollars bounty (a trivial amount for a company with hundreds of billions of dollars in cash laying around).. sufficient to induce any one of the hundreds of engineers at NSO with access to their repositories/knowledge of the exploit, to jump ship and flee to the USA to collect it. That they didn't speaks volumes about how serious Apple are about security.

  8. Omnipresent

    apple IS the spy

    suuuuuuuurrrrrrreeeeee..... update my Iphone so you can steal my data and force me to upgrade to a new phone nobody wants. We've learned your tricks apple.

  9. David 132 Silver badge

    If only Apple would actually implement message filtering

    A glaring gap in iOS is that it still, 12? 13? years down the line, doesn’t have any sort of iMessage/SMS filtering or whitelisting capability.

    I am plagued by an incessant bombardment of crude/nasty/offensive/stupid spam texts. Apparently the scammers think my name is either Fred or Ramon. Their latest campaign consists of impersonating my carrier, with oh-so-convincing pleas along the lines of “Free message from At&t: Ramon, thanks for paying your bill, we want to give you $617.37 as a thank, please click ://dodgy-url.cn/randomstring to claim”.

    Come on apple. Simple keyword filtering, that’s all I ask. There are tribes of tree-dwelling bonobos in the Congo that have figured out how to do that, I’m sure it’s not beyond the wit of a trillion-dollar tech company…

    1. Anonymous Coward
      Anonymous Coward

      Re: If only Apple would actually implement message filtering

      Hi Fred Ramon,

      We're sorry you feel we've been bombarding you. Can we offer you $617.37 as compensation for this, please click ://dodgy-url.cn/randomstring to claim.

    2. gujiguju

      Re: If only Apple would actually implement message filtering

      It’s 2021, and apparently, some bonobos are able to search for a near-definitive answer to life’s complex questions, such as, “Does iPhone allow SMS filtering…?”

      On iOS/iPadOS:

      Settings ➡️ Messages ➡️ Unknown & Spam

      https://duckduckgo.com/?q=iphone+sms+filter&t=ipad&ia=web

  10. This is not a drill

    Truth in Advertising

    MAC: Hi I'm a Mac

    PC: And I'm a PC

    MAC: Unlike PC, I don't suffer from security vulnerabil......... Oh shit

    1. The Sprocket

      Re: Truth in Advertising

      Hmmmm . . . 15 years later. World has gotten mega-nastier since then.

  11. jollyboyspecial

    Every vendor is going to tell you their platform is secure. It's a given. What worries me is the confidence of the Apple faithful that the statement is true. It's good to be cautious, but it seems that most of the Apple faithful are not, because they believe that all iThings are 100% secure.

    If a vendor advises you to run some sort of malware protection then they are telling you to be cautious. So if you took a kicking and you didn't have any malware protection then the vendor could argue with some credibility that it was your own fault for not using protection. If you took a kicking and you did use malware protection then the vendor could argue that the malware protection provider was at fault. The Apple approach of telling all their users that there's no need for malware protection is surely flawed.

    If somebody were to try to sue what would their defence be? They can't say you should have used protection, they are the ones who told you it wasn't necessary after all. And if you did have some sort of protection installed they couldn't blame the vendor of that app because they'd told you such an app was necessary.

    The biggest protection against being pwned is not a secure platform. It isn't malware protection. It's caution and the actions and configurations that result from that.

    But the scary thing about this vulnerability is that you don't need to open an attachment to get pwned. Any sensible person will have their messaging app to only accept messages from known contacts. That same sensible person will, through an abundance of caution, choose not to open attachments even from people they know unless they can verify the attachment is valid. But even with that reasonable level of caution you wouldn't have been protected in this case. Really what sort of developer thinks it safe to download and activate an attachment even if the end user hasn't told the app to do so?

    1. Ken Moorhouse Silver badge

      Re: If somebody were to try to sue what would their defence be?

      In this case it could p-o-s-s-i-b-l-y be argued that (ISTR) Steve Jobs warned against the use of Adobe software on Apple products. However the fact that pdf's are supported on Apple products means that get-out card is no longer valid.

  12. Anonymous Coward
    Anonymous Coward

    NSO good guys or bad guys?

    I've read lot and lots of -things they have had their fingers in, and have to ask - are they really bad guys working for evil empires?

    Or are there positive things they do also?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021