Apple delivers emergency patches to all of its operating systems to address a significant ‘zero-click vulnerability.’

Spread the love

‘The commercial spyware industry is deteriorating.’ Citizen Lab at the University of Toronto

You may have received an unplanned update message today if you own an Apple iPhone. You may want to perform those updates as soon as possible. The fixes are for iOS, watchOS, and macOS, and they address a critical security weakness that has been regularly abused since February to instal Pegasus spyware on devices without user intervention.

On Monday, Apple pushed out emergency updates for iOS, watchOS, and macOS. The security patches were issued in response to a massive exploit that allowed the operating systems to be infected with spyware without interaction from the user.

Security researchers at the University of Toronto’s Citizen Lab disclosed the vulnerability dubbed “ForcedEntry” to Apple last Tuesday. The group discovered the security hole (CVE-2021-30860) while analyzing a Saudi activist’s iPhone.

The “zero-click exploit” leverages an iMessages weakness that calls on Apple’s image rendering library and can infect the device without any user intervention. The researchers found that the vulnerability is inherent in all three of Apple’s operating systems—iOS, watchOS, and macOS.

READ ALSO:  EA is bringing its game subscription service to Steam on August 31

The spyware used is the controversial Pegasus application developed by NSO Group in Israel. Citizen Lab says it believes the exploit has been in use since February but has no idea how many devices could be infected with the spyware.

Pegasus is a particularly insidious software in that it can do everything from turning on the camera and microphone to accessing device settings.

“This spyware can do everything an iPhone user can do on their device and more,” John Scott-Railton, a senior researcher at Citizen Lab, told The New York Times. Co-researcher Bill Marczak added, “the commercial spyware industry is going darker.”

The NSO Group maintains that it only sells its spyware to government law enforcement agencies per regional laws and regulations. However, the software has turned up on the devices of non-criminal individuals, including diplomats, activists, and journalists. Additionally, Germany’s state police agency came under harsh criticism last week for secretly purchasing and employing Pegasus to spy on terrorists and organized crime members.

READ ALSO:  Ubisoft reveals PC system requirements for Watch Dogs: Legion

Since learning of the exploit last Tuesday, Apple engineers have been scrambling for a fix and issued one today. Scott-Railton urges owners of any Apple device to update the operating system as soon as possible.

If you are interested in the full details of the vulnerability, Citizen Lab posted a write-up on its website. Apple also has patch notes listed on its support pages.

Image credit: Amir Cohen/Reuters


Leave a Reply