Security & Privacy

A plethora of Pegasus patches: Chrome, Firefox, old Apple OSes get updates

Posted on by

NSO Group Pegasus Spyware on iPhone, iOS (phone by R. Fernandez, Pegasus by N. Raymond)

On Monday, September 11, Apple and Google released security updates to address major flaws. The patched vulnerabilities are apparently ones that the NSO Group’s Pegasus spyware may have actively exploited in the wild. On September 12, Mozilla released a corresponding security update for Firefox.

Apple releases iOS and iPadOS 15, macOS Monterey and Big Sur updates

The patches that Apple released on Monday are as follows:

For all of these, Apple patched the same ImageIO flaw (CVE-2023-41064) that it had fixed in macOS Ventura, iOS 16, and iPadOS 16 last Thursday, September 7.

Notably, last week Apple also patched a Wallet vulnerability (CVE-2023-41061) for iOS 16, iPadOS 16, and watchOS 9. For whatever reason, Apple did not address this flaw for iOS 15, iPadOS 15, and watchOS 8 today.

Apple patches 2 actively exploited vulns in macOS Ventura, iOS 16, watchOS 9

Google patches a different Pegasus-exploited vulnerability

Also on Monday, Google released a security updated for its popular Chrome browser. Google Chrome version 116.0.5845.187 addresses CVE-2023-4863, a heap buffer overflow in WebP. Apple and The Citizen Lab reported it to Google on September 6.

Google said that it “is aware that an exploit for CVE-2023-4863 exists in the wild.”

The Pegasus spyware likely leveraged this vulnerability as well, given who reported it and when.

As of Monday evening, updates did not appear to be available to address CVE-2023-4863 for other Chromium-based browsers. The most popular of these are Microsoft Edge, Brave, Vivaldi, and Opera. Be sure to check for updates for these browsers in the coming days and weeks.

You’ll also want to check for updates to apps that leverage the Electron framework or the Chromium Embedded Framework over the coming weeks. Such apps, if they remain unpatched, can put you at risk.

Mozilla patches the same vulnerability in Firefox as Chrome

Update: On Tuesday, September 12, Mozilla released updates for Firefox (and Thunderbird, Mozilla’s e-mail app) to address the same vulnerability as Chrome. Interestingly, Mozilla used the same CVE number. This seems to imply that the vulnerability can be exploited in Firefox in the same way as Chromium-based browsers.

To ensure the patch is applied, verify that you’re running one of the following versions, or later: Firefox 17.0.1, Firefox ESR 115.2.1, Firefox ESR 102.15.1, Thunderbird 115.2.2, or Thunderbird 102.15.1.

How can I learn more?

Each week on the Intego Mac Podcast, Intego’s Mac security experts discuss the latest Apple news, security and privacy stories, and offer practical advice on getting the most out of your Apple devices. Be sure to follow the podcast to make sure you don’t miss any episodes.

You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: Follow Intego on Twitter Follow Intego on Facebook Follow Intego on YouTube Follow Intego on Pinterest Follow Intego on LinkedIn Follow Intego on Instagram Follow the Intego Mac Podcast on Apple Podcasts

Image credits: iPhone by Rafael Fernandez (CC BY-SA 4.0); Pegasus by Nicolas Raymond (CC BY 2.0); composition by Joshua Long, Intego (CC BY-SA 4.0).

About Joshua Long

Joshua Long (@theJoshMeister), Intego's Chief Security Analyst, is a renowned security researcher and writer, and an award-winning public speaker. Josh has a master's degree in IT concentrating in Internet Security and has taken doctorate-level coursework in Information Security. Apple has publicly acknowledged Josh for discovering an Apple ID authentication vulnerability. Josh has conducted cybersecurity research for more than 25 years, which has often been featured by major news outlets worldwide. Look for more of Josh's articles at and follow him on X/Twitter, LinkedIn, and Mastodon. View all posts by Joshua Long →