Apple has just released a series of new updates for iOS, macOS and WATCH to fix a bug that security researchers at Citizen Lab say likely allowed government agencies to install spyware on the phones of journalists, lawyers and activists.
Researchers say that the bug allowed for the installation of a “zero-click” (meaning the target didn't have to do anything to get infected) spyware Pegasus, which can reportedly steal data, passwords, and activate a phone's microphone or camera.
Given the severity of the exploitation, you should inform iOS 14.8, the macOS BigSur 11.6 and Watch 7.6.2 as soon as possible.
The Citizen Lab also said that this vulnerability, dubbed "ForcedEntry", seems to match the behavior of a similar Amnesty International in July. At the time, security researchers wrote that the exploit was made possible by a bug in Apple's CoreGraphics system and occurred when the phone tried to use a function associated with a archive GIF, after receiving a text message that contained a malicious file.
However, even with this information, it could be difficult to determine exactly what happened without access to the infected files themselves. According to Citizen Lab, the suspected files from a hacked activist phone appeared to be GIFs sent as SMS attachments, but were in fact PSD and PDF. Citizen Lab suspected that it could be related to Pegasus, so it sent the files to Apple on September 7. Apple quickly released software updates fixing the bug on September 13 and thanked Citizen Lab in a statement for "completing the very difficult task of obtaining a sample of this exploit."
All of this serves as a reminder of how important it is to keep all your devices up to date. While we hope you never find yourself on the opposite side of a government that uses advanced software eavesdropping, it's still a good idea to make sure your device isn't vulnerable to widely reported security exploits.