Jamf Blog
Muse riding atop pegasus
September 14, 2021 by Jesus Vigo

Stop! Go patch your iOS/iPadOS and macOS devices against Pegasus spyware right now!

Patching the critical flaw exploited by Pegasus, Apple’s newest releases target the OS and software to fully protect your devices against this vulnerability that has been reported as actively exploited in the wild.

Background information

Back in late July, news outlets reported growing concern with misuse of the Pegasus surveillance software. Intended to be used to target terrorists and criminal threats by exploiting iMessage vulnerabilities found primarily within iOS/iPadOS devices, the software became the focus of privacy questions after it was found that several governments worldwide were using the sophisticated tools to target journalists, activists and dissidents by monitoring and capturing privacy data without users’ explicit consent.

Jamf reported a thorough breakdown of the Pegasus spyware, as it became known, detailing what it is and what it does, along with the broader security implications, indicators of compromise and recommendations for staying protected. These recommendations included the “patch fast, patch often” mantra often repeated to ensure devices are protected against the very latest known threats.

On September 13, 2021, Apple released a slew of new, critical updates for iOS/iPadOS (14.8), macOS Catalina/Big Sur (11.6), watchOS (7.6.1) and the Safari (14.1.2) browser that target security threats – namely, the vulnerabilities that make falling victim to Pegasus possible.

  • CVE-2021-30858: A use-after-free issue was addressed with improved memory management. This issue is fixed in iOS 14.8 and iPadOS 14.8 and in macOS Big Sur 11.6. Processing maliciously crafted web content may lead to arbitrary code execution.
  • CVE-2021-30860: An integer overflow was addressed with improved input validation. This issue is fixed in Security Update 2021-005 Catalina, iOS 14.8 and iPadOS 14.8, macOS Big Sur 11.6 and watchOS 7.6.2. Processing a maliciously crafted PDF may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

iOS/iPadOS 14.8

According to Apple’s iOS/iPadOS release notes, both CoreGraphics and WebKit are patched with this update, protecting against maliciously crafted PDF and web content respectively that could lead to arbitrary code execution.

The update targets iPhone 6S and later, all iPad Pro models, iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, as well as iPod touch 7th generation devices. For security reasons, Apple does not disclose security issues nor perform a deep dive into security updates.

Users are urged to patch immediately or as soon as possible to stay protected against the latest known threats, especially as there have been reports of the Pegasus spyware having been exploited in the wild. You may effectively regard any device running a version of iOS/iPadOS lower than 14.8 as vulnerable and potentially exploitable without additional protections to mitigate some of the risks.

Additional protective actions against the latest known and zero-day threats include deploying Wandera Threat Defense for the real-time detection and prevention of network attacks, such as phishing threats, malicious downloads and data exfiltration. It is also possible to safeguard user privacy by adding encryption to block the follow-up activities common to mobile device-based attacks.

There are a number of security recommendations, based on industry best practices that also apply to mobile devices in helping to mitigate risks from this and future threats, that you may want to consider:

  • Device security:
    • Ensure all devices are running the latest software. Yes, the “patch fast, patch often” mantra applies even for mobile devices. Ensure that you have an organized process to roll out OS and app updates across your mobile fleet just as quickly as you do for your other devices.
    • Implement a vulnerability monitoring and patch management process to improve timely responses to future exploits. Yes – even on mobile devices.
    • Implement an app vetting workflow that ensures only approved apps have access to corporate data. By strictly controlling what apps are available on devices, you can further reduce the attack surface.
  • Data security:
    • Review managed app permissions for excessive data collection. If an exploited app hasn’t been given access to contacts, calendar, photos, camera, microphone, etc., then the threat is easier to contain.
    • Implement conditional access policies that prevent work applications (with sensitive data) from being accessed when the mobile device has risky apps installed. Conditional access policies implemented on the device can be highly effective even with unmanaged devices.
  • Network security:
    • Deploy a security solution with inspection capabilities at the network layer to identify transactions that are indicative of a compromised device. Ensure that network visibility is active on all network interfaces and not just when the device is on the corporate campus.
    • Utilize network security policies to block malicious downloads, command and control (C2) traffic and data exfiltration.
    • Deploy a mobile security solution with zero-day detection capabilities to monitor at scale for anomalous behavior (such as a sudden pattern of communication with untrusted foreign servers).
    • When a new threat is identified, attempt to isolate the threat and limit its ability to function. When WhatsApp was being used by Pegasus a while back, Wandera customers were able to respond by blocking WhatsApp connections at the network level to manage the risk while they waited for a patch. Since the current round of attacks seem to be focused on iMessage, consider what the impact to your organization and your employees would be were you to disable iMessage traffic, for example.

macOS Big Sur 11.6

Echoing identical information to that of the iOS/iPadOS section above, the Apple release notes for macOS Big Sur 11.6 address the very same threats and should be taken equally seriously by admins and users. It is just as critical for your macOS-based devices to be “patched fast, patched often.”

Similarly to the protections afforded to iOS/iPadOS by Wandera Threat Defense, macOS devices benefit greatly from Jamf Protect, the purpose-built endpoint security software designed exclusively to monitor, detect, prevent, remediate and report on Mac-specific security threats affecting your macOS-based device fleet. Running alone or integrated with a number of applications to provide additional workflows and automation, Jamf Protect ensures your Macs – and users – stay protected, compliant and performing optimally.

macOS Catalina Security Update 2021-005

As an addendum to the macOS Big Sur 11.6 update above, organizations and users still running macOS 11.5, dubbed Catalina, will want to update to the latest security update quickly. According to Apple’s release notes, Catalina is vulnerable to CVE-2021-30860, and patching this vulnerability will mitigate this risk.

Safari 14.1.2

Lastly, Apple provides additional information in their release notes relating to the WebKit component found in both macOS Catalina and Mojave. An update to the Safari browser brings it into compliance with version 14.1.2, patching it against CVE-2021-30858.

Don’t let your devices fall prey to attackers. Protect your users, data and their devices in real-time.

To learn more about how Jamf Pro helps you to update your Apple fleet, contact Jamf today.

Photo of Jesus Vigo
Jamf
Jesus is a Copywriter, Security focused on expanding the knowledge base of IT, Security Admins - generally anyone with an interest in securing their Apple devices - with Apple Enterprise Management and the Jamf solutions that will aid them in hardening the devices in the Apple ecosystem.
Browse Blog
by Category:
Subscribe to the Jamf Blog

Have market trends, Apple updates and Jamf news delivered directly to your inbox.

To learn more about how we collect, use, disclose, transfer, and store your information, please visit our Privacy Policy.