Tech giant Apple has rolled out an important software update to fix a security flaw in its Message app that was reportedly exploited by highly invasive Pegasus spyware, built by Israel’s NSO Group, to infect anyone’s iPhone, iPad, Apple Watch or Mac computer without so much as a click.
“Processing a maliciously crafted PDF may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited,” the tech giant said ina security note released Monday.
According to Washington Post, the vulnerability has been in use on iOS, watchOS and macOS since at least February.The flaw, discovered by Torono-based cybersecurity group Citizen Lab, allowed a hacker using NSO’s Pegasus malware to gain access to a device owned by an unnamed Saudi activist. The zero-day zero-click exploit against iMessage, which it nicknamed ForcedEntry, targets Apple’s image rendering library and was effective against the company’s iPhones, laptops and Apple Watches, Citizen Lab wrote in a post.
“We determined that the mercenary spyware company NSO Group used the vulnerability to remotely exploit and infect the latest Apple devices with the Pegasus spyware,” it added.
NSO did not dispute Pegasus had prompted the urgent software upgrade, and said in a statement that it would “continue to provide intelligence and law enforcement agencies around the world with life saving technologies to fight terror and crime.”
The NSO Group has been the subject of severe criticism after it emerged that its software is used for alleged snooping by government agencies on eminent citizens, politicians and scribes by using Israeli firm NSO’s spyware Pegasus. An international media consortium has reported that over 300 verified Indian mobile phone numbers were on the list of potential targets for surveillance using Pegasus spyware.