Apple has released new updates for iOS, macOS, and watchOS to fix a bug that security analysts at Citizen Lab say could have been exploited to allow government agencies to send Pegasus-like spyware into the phones of journalists, lawyers, and activists.
The bug allowed for a “zero-click” install (meaning the target didn’t have to do anything to be infected) of the Pegasus spyware, which is reportedly capable of stealing data, passwords, and activating a phone’s microphone or camera.
Given the severity of the exploit, you should update to iOS 14.8, macOS Big Sur 11.6, and watchOS 7.6.2 as soon as you can because the spyware had been successfully used against phones running iOS 14.6 (released in May).
The research house Citizen Lab codenamed this spyware “ForcedEntry,” due to the vulnerability that seemed to match the behavior of an exploit Amnesty International wrote about in July.
At the time, the security researchers blamed it on a bug in Apple’s CoreGraphics system, especially when the phone tried to use a function related to GIFs, after it received a text message carrying the malware.
However, even with that info, it could be difficult to pin down exactly what was happening without access to the infected files themselves.
All of this serves as a reminder about how important it is to keep all your devices up-to-date.
Apple is planning on letting users install security updates for iOS 14 without having to upgrade to iOS 15, which could be useful for any future fixes. So get all your devices updated as soon as you can even if it’s a temporary fix.