Apple users are being urged to install emergency software updates released by the company on 13 September 2021 to patch a critical vulnerability discovered by security researchers. The vulnerability can allow hackers to silently infect iPhones and other Apple devices with powerful spyware known as Pegasus. Read on to find out what the security flaw means for Apple users, and what you should do if you’re affected.

How does the vulnerability put Apple users at risk? 

The security flaw was discovered by cybersecurity researchers Citizen Lab, based in Toronto. It allows attackers to deploy what’s called a ‘zero-click exploit’ that can run silently without the owner of the device having to click on a suspect link or open a document. Once the infected files – in this case, PDF documents disguised as GIFs – are on a device, Pegasus spyware is silently installed. Once the spyware is on a device, the attackers can silently copy and steal the messages sent and received on the phone, use the camera to secretly film the phone’s owner, and eavesdrop via the microphone. While it’s very unlikely that ordinary users’ Apple devices will be targeted by Pegasus spyware, the vulnerability the researchers found has worried security experts.

Where does the spyware come from? 

Spyware that can be installed without the phone’s owner doing anything at all is highly prized by law enforcement, criminals and some governments. It means they can silently snoop on the target without them having any clue their device has been compromised. The exploit, in this case, called ‘FORCEDENTRY’, was found when the researchers analysed an iPhone belonging to a Saudi dissident, whose phone was hacked when they were sent image files containing the spyware via iMessage. Citizen Lab said that FORCED ENTRY is the latest in a string of zero-click exploits linked to NSO Group, an Israeli company best known for its Pegasus spyware. NSO Group says its products are meant to be used only to target criminals by licensed law enforcement bodies, but Pegasus is known to have been used in the past to target dissidents, journalists and human rights activists. The phones of activists in Bahrain, French journalists, and an adviser to Dubai’s Princess Latifa, who was recaptured in 2018 on a yacht on the Indian Ocean after fleeing the emirate, are among those whose phones are said to have been compromised by Pegasus spyware. Compare our Mac antivirus software package reviews.

What should Apple users do? 

A patch for the vulnerability was pushed out on 13 September 2021 by Apple, which updates iPhones to iOS 14.8, and iPads to iPadOS 14.8. Apple Watches are updated to watchOS 7.6.2, while Macs running the current Big Sur version of macOS are updated to Big Sur 11.6. Older Macs running Catalina and Mojave will receive updates to Safari version 14.1.2. Apple’s head of security, Ivan Krstić, said:

‘Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals. While that means they are not a threat to the overwhelming majority of our users, we continue to work tirelessly to defend all our customers, and we are constantly adding new protections for their devices and data.’

If you haven’t yet updated your Apple devices this week, you should check for the update and run it as soon as possible.