Apple has released two critical security updates for four of its core products in response to a flaw that would have allowed the Pegasus spyware to infect a device. On Thursday, the last-minute bug fixes were rolled out for the iPhone, iPad, Apple Watch, and Mac just days ahead of Apple’s 2023 launch event on September 12.
The vulnerability was discovered and reported to Apple by The Citizen Lab, an academic research lab that analyzes security threats and other risks.
Credited by Apple for the discovery, the lab issued a report in which it described the flaw as an exploit chain, that it dubbed Blastpass, capable of compromising iPhones running the latest version of iOS (16.6) without any interaction from the user. The bug could be exploited by an attacker sending PassKit attachments with malicious images via Apple’s iMessage.
In response to the vulnerability, Apple issued two separate fixes for the iPhone and iPad labeled CVE-2023-41064 and CVE-2023-41061. The Citizen Lab urged all users to apply the fixes immediately via the latest updates to affected devices.
For iPhone and iPad users, iOS 16.6.1 and iPadOS 16.6.1 are now available to be installed on the iPhone 8 and later, all models of the iPad Pro, the iPad Air 3rd generation and later, the iPad 5th generation and later, and the iPad mini 5th generation and later. Head to Settings > General > Software Update. Tap Download and Install to apply the update.
Fixes for other Apple devices are available as well.
For Apple Watch wearers, WatchOS 9.6.2 is now waiting to be installed on the Apple Watch Series 4 and later. Open the Watch app on your iPhone, go to General and then Software Update, and then tap Download and Install.
And for Mac users, MacOS Ventura 13.5.2 is ready. For this one, click the Apple icon and select System Settings. Click General and then Software Update. Click the button to install the update.
In its report, The Citizen Lab revealed how it found the vulnerability: “Last week, while checking the device of an individual employed by a Washington DC-based civil society organization with international offices, Citizen Lab found an actively exploited zero-click vulnerability being used to deliver NSO Group’s Pegasus mercenary spyware.”
A spyware tool used by Israel-based NSO Group, Pegasus has gained a level of infamy for targeting government officials, political activists, and journalists. The software works by remotely accessing a device to collect handset data, monitor conversations through messaging apps such as WhatsApp and Facebook, snoop on email exchanges and browser activity, and spy on people through a device’s camera and microphone.
The NSO Group has continually maintained that Pegasus is used for legitimate purposes by governments to track criminal and terrorist activity and monitor local and global threats. But The Citizen Lab, Amnesty International, and other groups claim that the spyware is used to target innocent people.
Potential victims of Pegasus who believe they’re being actively targeted are urged to put their iPhones or iPads into Lockdown Mode. An option available to all users, Lockdown Mode disables or limits key features and settings on a device to prevent spyware and malware from capturing sensitive data.
Pushing out updates just days in advance of a launch event is rare for Apple, which speaks to the critical nature of the vulnerability and the need to apply these fixes.
Next Tuesday, September 12, Apple is expected to raise the curtain on its new iPhone, Apple Watch, AirPods, and potentially other products. Along with the new products will be brand new versions of iOS/iPadOS, watchOS, macOS, and tvOS. Apple typically releases new versions of its respective operating systems about a week after the launch event, so expect them around September 19.