13
posted ago by NihilistCaregiver ago by NihilistCaregiver +13 / -0

Everything I am reading seems to indicate that Pegaus is primarily used by state actors to target journalists and activists.

I have not seen any accounts of random individuals (who aren't direct targets of states) get hit by Pegasus. There are also older articles on the web talking about this exploit, so it has been around for a while with no fix.

Does the average joe face any risk by NOT applying this update?

Comments (4)
sorted by:
3
lgbtqwtfbbq 3 points ago +3 / -0

I don't consider myself a "cybersecurity nerd", but I am a professional programmer with a fair amount of experience.

The 14.8 fix claims to address two issues:

  • An issue with the code that reads PDFs that could allow what they call "arbitrary code execution" (which means that people can run whatever they want as though it were the program reading the PDF) by viewing a PDF designed to exploit the vulnerability.
  • An issue with the code that renders web pages that could allow the same sort of "arbitrary code execution" by accessing a web page designed to exploit the vulnerability.

Putting aside the Pegasus stuff, these two issues could be exploited by others; and oftentimes the researchers who discover these vulnerabilities will publish details of how the exploit worked a certain amount of time after the vendor provides a fix. It's also common that when this happens the exploits are added to large software suites of exploits that just try them all the hopes that you haven't patched your phone against a few of them. So by not updating you also put yourself at risk of others later on using the exploit for their own purposes.

Specifically regarding the Pegasus stuff, if you're referring to yourself and post here I'm not sure I would assume I was an "average joe" even if you're still ultimately small potatoes. That said, if they already broke into your phone I'm not seeing that this update undoes that. Though I'm not an iOS expert so there might be something about the update process I'm missing.

3
NihilistCaregiver [S] 3 points ago +3 / -0

Thank you for the response.

Regarding this point:

Putting aside the Pegasus stuff, these two issues could be exploited by others; and oftentimes the researchers who discover these vulnerabilities will publish details of how the exploit worked a certain amount of time after the vendor provides a fix.

Does the following website reveal how the exploit works? https://citizenlab.ca/2021/09/forcedentry-nso-group-imessage-zero-click-exploit-captured-in-the-wild/

4
lgbtqwtfbbq 4 points ago +4 / -0

It provides some detail ("We are publishing limited technical information about CVE-2021-30860 at this time.") that might point someone in the right direction. And of course, once you have the old version of the software and the patched version you can figure out what's different between the two and know even more about the nature of the exploit. But someone would still have to do some legwork.

And of course, it's also possible that this site releases more information at some later date.

2
krzyzowiec 2 points ago +2 / -0

Does the average joe face any risk by NOT applying this update?

Yes, significant risk. Not from Pegasus, since that is obviously going to be targeted against journalists and so on, but these exploits can be used by anyone to do anything, especially now that it is public knowledge.

The fact that you are talking about exploits that do not require user intervention, and involve pdf and web rendering, which are some of the most common tasks you can do on a phone, is a big deal.