By Jeph Ajobaju, Chief Copy Editor
Goggle has alerted its 2.65 billion Chrome users about hacking.
And Apple blocks a “zero-click” spyware that could infect iPhones and iPads, two months after news broke that Pegasus is being used by governments in more than 50 countries to spy on 50,000 telephone numbers used by critics and activists.
Several journalists from 17 news outlets worldwide worked together in July to expose evidence of highwire spying with Pegasus, a software crafted by NSO Group, an Israeli firm, targeting journalists, politicians, business executives, and others.
Pegasus can be covertly installed on mobile phones and other devices running most versions of iOS and Android, according to Wikipedia, which describes it is a Trojan horse computer virus that can be sent “flying through the air” to infect cell phones.
The BBC reports that independent researchers identified the flaw in this latest iPhone spyware, which lets hackers access devices through the iMessage service even if users do not click on a link or file.
The problem affects all of Apple’s operating systems, the researchers said.
Forbes explains that Google Chrome is now used by approximately 2.65 billion users as it dominates the web browser market.
The problem with such dominance, however, is Chrome has become the number one target for hackers and now Google has had to issue another serious upgrade warning.
In a new blog post, Google has revealed that two new ‘zero-day’ exploits (CVE-2021-30632 and CVE-2021-30633) have been discovered in Chrome for Linux, macOS and Windows.
And – like the previous two attacks – they have come from anonymous tip-offs.
Their zero-day classifications mean hackers have been able to exploit them before Google could release fixes, making them significantly more dangerous than most security flaws.
Writing on its blog, Google confirmed it “is aware that exploits for CVE-2021-30632 and CVE-2021-30633 exist in the wild.”
Standard practice
As is standard practice, Google is currently giving little away about these zero-day flaws. This is to limit their spread and buy time for users to protect themselves.
Consequently, other than ranking their threat as “High”, this is all Chrome users have to go on right now:
· High — CVE-2021-30632: Out of bounds write in V8. Reported by Anonymous on 2021-09-08
· High — CVE-2021-30633: Use after free in Indexed DB API. Reported by Anonymous on 2021-09-08
Based on the dates, says Forbes, it is safe to assume the source for both zero-day flaws is the same.
As for their brief descriptions, V8 is the open source JavaScript engine at the heart of Chrome, while Use-After-Free (UAF) vulnerabilities relate to the incorrect use of dynamic memory during program operation.
If the program doesn’t clear the pointer to memory after it is freed, hackers can use this error to exploit the program.
UAF vulnerabilities were the source of five ‘High’ rated Chrome threats earlier this month, while V8 was the target of the last zero-day Chrome hack in July. Google also warns that nine further “high” level threats have been found in Chrome, but they are not currently believed to have been exploited in the wild.
To combat these new threats, all Chrome users should navigate to Settings > Help > About Google Chrome. If your browser version on Linux, macOS or Windows is listed as 93.0.4577.82 or above you are safe.
Google states that this new, protected version of Chrome “will roll out over the coming days/weeks” so you may not be able to protect yourself right away. If you can upgrade, you should do so then restart your browser immediately.
Google continues to fix Chrome flaws at a rapid pace, but this is only effective if its billions of users also do their part.
Attacks on Chrome are growing as it becomes ever more dominant in the marketplace, making it essential to keep your browser up-to-date at all times. Go check it right now.
Apple blocks iPhone spyware
Apple said it issued the security update in response to a “maliciously crafted” PDF file, according to the BBC.
University of Toronto’s Citizen Lab, which first highlighted the issue, had previously found evidence of zero-click spyware, but “this is the first one where the exploit has been captured so we can find out how it works,” said researcher Bill Marczak.
The researchers said that the previously unknown vulnerability affected all major Apple devices, including iPhones, Macs and Apple Watches.
Citizen Lab also said the security issue was exploited to plant spyware on a Saudi activist’s iPhone, adding that it had high confidence that the Israeli hacker-for-hire firm, NSO Group, was behind that attack.
In a statement to the Reuters news agency, NSO did not confirm or deny that it was behind the spyware, saying only that it would “continue to provide intelligence and law enforcement agencies around the world with life-saving technologies to fight terror and crime”.
Security experts have said that although the discovery is significant, most users of Apple devices should not be overly concerned as such attacks are usually highly targeted.
Apple said in a blog post that it had issued the iOS 14.8 and iPadOS 14.8 software patches after it became aware of a report that the flaw “may have been actively exploited”.
Dangerous weakness exploited by hackers
The BBC explains that Apple’s iMessage is one of the most secure messaging apps in the world but clearly it had a dangerous weakness that a hacking team found and exploited.
The news will embarrass Apple which prides itself on being a secure and safe system.
The revelation is potentially another blow to the reputation of NSO Group which is still reeling from recent accusations of widespread spy hacks on innocent people.
It also highlights once again that no device is fully safe if a determined, well-funded team wants to hack it and is paid enough to do so.
The good advice from all corners is for iOS users to update the security software of their devices as soon as possible to patch up the security hole.
But for the vast majority of users, the risk of being a target of this expensive and highly-skilled hacking, is low.