Apple has just released a series of new updates for iOS, macOS and watchOS to fix a bug that security researchers at Citizen Lab say may have allowed government agencies to install spyware on the phones of journalists, lawyers and activists.
Researchers say that The bug allowed the installation of a "zero-click" (meaning that the target had to do nothing to get infected) of Pegasus spyware, which is said to be able to steal data, passwords and activate a phone microphone or camera.
The Citizen Lab also said that this vulnerability, dubbed "ForcedEntry", seems to match the behavior of a similar Amnesty International in July. At the time, security researchers wrote that exploitation was possible due to an error in Apple's CoreGraphics system, which occurred when the phone tried to use a function associated with a GIF file after receiving a text message containing a malicious file.
However, even with this information, it could be difficult to determine exactly what happened without access to the infected files themselves. According to Citizen Lab, the suspected files from a hacked activist phone appeared to be GIFs sent as SMS attachments, but were in fact PSD and PDF. Citizen Lab suspected that it could be related to Pegasus, so it sent the files to Apple on September 7. Apple quickly released software updates fixing the bug on September 13 and thanked Citizen Lab in a statement for "completing the very difficult task of obtaining a sample of this exploit."
All of this serves as a reminder of how important it is to keep all your devices up to date. While we hope you will never be on the other side of a government that uses advanced spyware, it is still a good idea to make sure your device is not vulnerable to the widely cited security features.