Apple released a critical software patch to fix a security vulnerability that researchers said could allow hackers to directly infect iPhones and other Apple devices without any user action.
An internet watchdog group says the flaw allowed spyware from the world’s most infamous hacker-for-hire firm, NSO Group, to infect the iPhone of a Saudi activist without any user interaction. The previously unknown vulnerability affected all major Apple devices — iPhones, Macs and Apple Watches.
The researchers from the University of Toronto’s Citizen Lab said it was the first time a so-called “zero-click” exploit — one that doesn’t require users to click on suspect links or open infected files, has been caught and analyzed. They found the malicious code on September 7 and immediately alerted Apple. The targeted activist asked to remain anonymous.
In a statement, Apple security chief Ivan Krstić commended Citizen Lab and said such exploits “are not a threat to the overwhelming majority of our users.” He noted, as he has in the past, that such exploits typically cost millions of dollars to develop and often have a short shelf life. Apple didn’t respond to questions regarding whether this was the first time it had patched a zero-click vulnerability.
Users should get alerts on their iPhones prompting them to update the phone’s iOS software. Those who want to jump the gun can go into the phone settings, click “General” then “Software Update,” and trigger the patch update directly. Apple customers are urged to install the security patch immediately.