Apple users are being urged to update their products immediately to protect against a powerful new spyware that infiltrated devices without any clicks.
The tech company released updates to patch two zero-day exploit chains on Thursday.
It comes after an employee of the Washington DC-based civil society organization Citizen Lab found the zero-click vulnerability delivering Pegasus mercenary spyware, according to John Scott-Railton, a researcher for the group.
‘Last week we @citizenlab discovered a new #Pegasus zero-click exploit chain (No clicking required to infect latest iOS!)’ he wrote on X (formerly Twitter) on Thursday afternoon.
🚨 Update your @apple products immediately!
(No clicking required to infect latest iOS!)
Found while checking civil society.
— John Scott-Railton (@jsrailton) September 7, 2023
He urged users to ‘update your @apple products immediately!’
Citizen Lab, which investigates government malware, explained in a blog post that victims can be targeted by malware without clicking or tapping or opening any attachments.
‘The exploit chain was capable of compromising iPhones running the latest version of iOS (16.6) without any interaction from the victim,’ wrote the internet watchdog group.
Upon discovering the zero-click vulnerability, Citizen Lab informed Apple, which thanked the group for reporting it. Citizen Lab helped in the probe.
Apple stated that one of the bugs, tracked as CVE-2023-41064, allowed iPhones, iPads, Macs and Apple Watches among other devices to be vulnerable to attack when processing ‘a maliciously crafted image’, according to The Record.
Similarly, the other bug, CVE-2023-41061, could make devices vulnerable if they received a ‘maliciously crafted attachment’.
Apple stated that it was ‘aware of a report that this issue may have been actively exploited’ and declined to comment further on the two bugs.
The patches were integrated into Apple’s regular updates for iOS, macOS, iPadOS and watchOS.
It is not the only time that Apple has disclosed zero-days bugs this year. In June, the company fixed two bugs that were exploited in a campaign that Russia blamed on the US.