Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Solution for Pegasus Spyware on Mojave?

dawindmg08

dawindmg08

macrumors regular
Original poster
Sep 25, 2008
188
80
Los Angeles
I have several Macs -- including my. mother-in-law's iMac -- that are still running Mojave. With today's announcement of security fixes against the Pegasus Spyware I was wondering if there's any solution for an older OS, short of updating to Catalina or BigSur? I'm trying to find more info about the exploit at least -- does it only happen through iMessage or could any PDF downloaded to the Mac potentially install this thing?

TIA,
D
 
dawindmg08 said:
I have several Macs -- including my. mother-in-law's iMac -- that are still running Mojave. With today's announcement of security fixes against the Pegasus Spyware I was wondering if there's any solution for an older OS, short of updating to Catalina or BigSur? I'm trying to find more info about the exploit at least -- does it only happen through iMessage or could any PDF downloaded to the Mac potentially install this thing?

TIA,
D
Click to expand...
Has it been confirmed that Mojave is vulnerable to this exploit? I've seen no mention of Mojave or earlier macOS versions.
 
Idgit said:
Has it been confirmed that Mojave is vulnerable to this exploit? I've seen no mention of Mojave or earlier macOS versions.
Click to expand...
My assumption was that this could affect *any* OS that wasn't patched today, and that fix was only pushed out to Catalina and Big Sur users.
 
I'm not ready to give up Mojave yet. I still need to run some 32-bit apps, but I really despise the UI changes in Big Sur.

In the meantime, I use Little Snitch and Ransomwhere to alert me to any unknown or compromised app or process that tries to phone home or mess about on my system.

Unfortunately, those might be a bit too intrusive for your mother-in-law's system.

Hopefully in the next few days will find out if Mojave is affected.
 
  • Like
Reactions: howdytom
dawindmg08 said:
My assumption was that this could affect *any* OS that wasn't patched today, and that fix was only pushed out to Catalina and Big Sur users.
Click to expand...
It is not a case of 'if you don't do it today your screwed'.

Never download a pdf (or any type of file) from an unknown source.
 
  • Like
Reactions: Hombre53
MarkC426 said:
It is not a case of 'if you don't do it today your screwed'.

Never download a pdf (or any type of file) from an unknown source.
Click to expand...
Been trying to read up on this exploit -- so it's specifically about downloading a bad PDF, yes? If they don't touch a PDF from an unknown sender they'll be good?
 
FYI: more info about the various patches in this Macworld UK article.
Apple is offering the Safari 14.1.2 update in Mojave to patch the webkit side of the exploit. But there's no OS update for the CoreGraphics side -- the author was unsure whether or not Apple isn't going to bother with that OS or if Pegasus can't exploit Mojave. Would love to know about the latter; I can get my MIL to install the Safari patch at least but I know she'll be paranoid regardless.
 
dawindmg08 said:
Update #2: i just chatted with "Apple Business Support" on my phone. FWIW:

"After doing some digging your security is at no risk. Pegasus does not affect macOS Mojave."
Click to expand...
Thanks for the info...

Preparing for EOL of macos 10.14. I guess in October/November Apple will stop pushing security updates :(

I have one 12" left running it (wifey has some 32-bit apps). Guess I'll have to bite the bullet and update to Catalina at some point.
 
Jupiter9 said:
Relax. You are not that important.
Click to expand...

That's a ridiculous attitude. Now that the patch is out there, it can be easily analyzed to find out what is patched and others WILL start exploiting this now that there is a literal road map on how to exploit it readily available.

That's the double edged sword of patching.

Luckily I don't need messages on my one Mojave machine so I just went into messages and signed it out of iCloud. Not a great solution but better than nothing. I sincerely hope Apple does patch it!
 
  • Like
Reactions: Hombre53 and Mac Hammer Fan
Apple just released another security update for Catalina yesterday. Once again Mojave is left out.
 
That's because Mojave is on the edge of the cliff, and about to fall off.
With Monterey about to drop, this is normal.
 
edubfromktown said:
Thanks for the info...

Preparing for EOL of macos 10.14. I guess in October/November Apple will stop pushing security updates :(

I have one 12" left running it (wifey has some 32-bit apps). Guess I'll have to bite the bullet and update to Catalina at some point.
Click to expand...
No reason to give up Mojave hust because Apple stops patching it.

Number 1: The odds you'll be victimized by any of the few mac exploits is extremely unlikely.

Number 2: If you are concerned ... there are a number of third party mac anti spyware products that can give you peace of mind
 
  • Like
Reactions: Hombre53, trusso and MarkC426
I finally upgraded my system from mojave to big suck 11.6 after testing it on a test SSD since its release and it's actually ok now. Some parts of it run faster than mojave.

Still have a clone of mojave stashed in case i need to eat my words though

What's interesting is that some of my 3rd party apps, after upgrading to big suck, asked for permission to access my contacts, calendar, reminders, etc. There's no need for those permission given the nature of the app.
 
saudor said:
What's interesting is that some of my 3rd party apps, after upgrading to big suck, asked for permission to access my contacts, calendar, reminders, etc. There's no need for those permission given the nature of the app.
Click to expand...
FWIW that seems to be a common experience across the board. Even apps that I know are not malicious (like Adobe) are trying to access things like Contacts. It's bizarre but I guess you can always say NO and it shouldn't affect usability.
 
saudor said:
I finally upgraded my system from mojave to big suck 11.6 after testing it on a test SSD since its release and it's actually ok now. Some parts of it run faster than mojave.

Still have a clone of mojave stashed in case i need to eat my words though

What's interesting is that some of my 3rd party apps, after upgrading to big suck, asked for permission to access my contacts, calendar, reminders, etc. There's no need for those permission given the nature of the app.
Click to expand...

This is what I hate about Apple's security theater. Apple has locked down macOS so much with recent versions and have implemented all these changes that add *huge* amounts of inconvenience for the average user. And yet, every month there seems to be a new zero-day exploit of macOS in spite of all its security restrictions. I mean, ffs, a simple PDF payload bypasses all their restrictions with this Pegasus exploit.

Additionally, the security interface in System Preferences is so badly designed and awkward to use. I have several relatives who are boomers or elderly and they call me frequently for help because some programs (e.g., Zoom) on their Macs don't work. They don't understand how to grant access to these apps because of Apple's ****** UI design these days.
 
  • Like
Reactions: Hombre53
Idgit said:
This is what I hate about Apple's security theater. Apple has locked down macOS so much with recent versions and have implemented all these changes that add *huge* amounts of inconvenience for the average user. And yet, every month there seems to be a new zero-day exploit of macOS in spite of all its security restrictions. I mean, ffs, a simple PDF payload bypasses all their restrictions with this Pegasus exploit.

Additionally, the security interface in System Preferences is so badly designed and awkward to use. I have several relatives who are boomers or elderly and they call me frequently for help because some programs (e.g., Zoom) on their Macs don't work. They don't understand how to grant access to these apps because of Apple's ****** UI design these days.
Click to expand...
Dont get me started on that. Even on iOS, the settings panel is such a mess. They keep changing stuff and having used iPhone for a decade, it’s still annoying to find stuff i could easily find before. (E.g. disabling in-app purchases used to be under restrictions.. now it’s under screen time and can only be done if screentime is enabled)

Basically turned into Android.
 
Nicole1980 said:
No reason to give up Mojave hust because Apple stops patching it.

Number 1: The odds you'll be victimized by any of the few mac exploits is extremely unlikely.

Number 2: If you are concerned ... there are a number of third party mac anti spyware products that can give you peace of mind
Click to expand...

Staying as close as possible to the most recent updates on your devices/computers is the best protection. In addition to the ever changing malware and spyware variants (that still can easily fool endpoint products on up to commercial IDP/IDS/NGFW/UTM systems by changing a couple of bytes), there are plenty of new critical/high vulnerabilities that crop up across all operating system platforms and the 3rd party applications that run on them with regularity.

Beyond the devices themselves, I use an enterprise firewall platform at home, two raspberry Pi's (to sinkhole nefarious dns lookups), Wireguard VPN and other fun things. Even with all of that in place, I do not access the internet with any systems that can no longer can obtain updates.

I have a 24" white iMac and two Mini's from years ago that are running in isolated enclaves on my LAN at home with no default gateway set. This allows them to connect to other devices on the same LAN but nowhere beyond.

BSD UNIX and Debian Linux are among the most secure... macOS, not as much.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back