PSA: If you own an Apple device, you may have noticed an unscheduled update notification today. You may want to perform those updates at your earliest convenience. The patches are for iOS, watchOS, and macOS and fix a major security flaw that has been actively exploited since February to install Pegasus spyware on devices without user intervention.
On Monday, Apple pushed out emergency updates for iOS, watchOS, and macOS. The security patches were issued in response to a massive exploit that allowed the operating systems to be infected with spyware without interaction from the user.
Security researchers at the University of Toronto’s Citizen Lab disclosed the vulnerability dubbed “ForcedEntry” to Apple last Tuesday. The group discovered the security hole (CVE-2021-30860) while analyzing a Saudi activist’s iPhone.
The “zero-click exploit” leverages an iMessages weakness that calls on Apple’s image rendering library and can infect the device without any user intervention. The researchers found that the vulnerability is inherent in all three of Apple’s operating systems—iOS, watchOS, and macOS.
The spyware used is the controversial Pegasus application developed by NSO Group in Israel. Citizen Lab says it believes the exploit has been in use since February but has no idea how many devices could be infected with the spyware.
Pegasus is a particularly insidious software in that it can do everything from turning on the camera and microphone to accessing device settings.
“This spyware can do everything an iPhone user can do on their device and more,” John Scott-Railton, a senior researcher at Citizen Lab, told The New York Times. Co-researcher Bill Marczak added, “the commercial spyware industry is going darker.”
The NSO Group maintains that it only sells its spyware to