Apple releases emergency software update due to spyware flaw

Spyware researchers have found a flaw within iPhones that makes them vulnerable to the extremely invasive spyware Pegasus.

According to the Washington Post, Apple released an emergency software update Monday night that patches the exploit discovered by the spyware researchers. 

The vulnerability is the first one of its kind to be found in iPhones since 2019. Researchers at Citizen Lab say they found the hack on a Saudi political activist's device. The spyware appears to have made it onto the device without user interaction, which poses a serious security risk for many Apple product owners.

Pegasus was created by the Israeli cyber security company, NSO Group. NSO Group has been known to provide its spyware to numerous countries, many of whom are not allies of the U.S.

Despite discovering the flaw, Citizen Lab declined to name the responsible country that used Pegasus. The group also declined to name the Saudi political activist who was targeted. 

“We wouldn’t have discovered this exploit if NSO’s tool wasn’t used against somebody they shouldn’t be targeting,” said John Scott-Railton, a researcher for Citizen Lab, based at the University of Toronto’s Munk School of Global Affairs and Public Policy.

The hacking technique, known as a “zero-click attack”, had been in use since February and could have invaded numerous products that use Apple’s operating system.  

As a result of the attack, Apple quickly released a software patch to remedy the situation. In a post on its website, Apple described the flaw and the potential consequences caused by this type of surveillance.

“Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited” the company said in the post.

In a statement from Apple’s head of security and engineering, Ivan Krstić thanked Citizen Lab for "successfully completing the very difficult work of obtaining a sample of this exploit so we could develop this fix quickly.”

“After identifying the vulnerability used by this exploit for iMessage, Apple rapidly developed and deployed a fix,” the statement said.

“Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals. While that means they are not a threat to the overwhelming majority of our users, we continue to work tirelessly to defend all our customers, and we are constantly adding new protections for their devices and data.”