KEY POINTS

  • Updates iOS 14.4.2, iPadOS 14.4.2 and watchOS 7.3.3 are now available
  • Apple also pushed out iOS 12.5.2 update for older Apple devices
  • The release of emergency security update is due to a recently uncovered zero-click remote exploit

Cupertino tech giant Apple has rolled out an emergency security update following the discovery of a zero-click, zero-day iMessage exploit believed to be used by NSO Group's contentious Pegasus spyware.

Apple released the emergency security update Monday to fix a security flaw that allows the dreadful Pegasus spyware from the NSO Group to infect Apple devices. This includes iPhone, iPad, Mac, and even the Apple Watch.

The patches are iOS 14.4.2, iPadOS 14.4.2, and watchOS 7.3.3. Unfortunately, this vulnerability could allow hackers to infect devices even without any user action.

Apple has released an emergency fix to software flaw targeted by the spyware at the heart of the Pegasus scandal
Apple has released an emergency fix to software flaw targeted by the spyware at the heart of the Pegasus scandal AFP / JOEL SAGET

The zero-day exploit, uncovered by security researchers at the University of Toronto’s Citizen Lab, impacts Apple's WebKit browser engine. This update is extremely urgent because the security vulnerability is being actively exploited.

To further highlight the seriousness of the security flaw, the tech giant also rolled out the iOS 12.5.2 patch for older devices. This is available for iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3 and the 6th generation iPod Touch.

Apple did not reveal details but this kind of vulnerability could be utilized to launch malicious actions such as leading users to phishing sites.

"Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals," Ivan Krstić, head of Apple security engineering and architecture, said in a statement.

The Pegasus spyware used a novel process to infect devices without the victim's knowledge. Dubbed "zeroclick remote exploit," it is considered by security researchers as the Holy Grail of surveillance.

It allows malicious attackers to secretly get into someone's device and turn the camera or microphone to spy on the user. It can also record messages, calls, texts, emails, and even encrypted messages without tipping the victim off.

Pegasus spyware is believed to be used by mercenaries, criminals, and even governments to spy on targeted individuals. "This spyware can do everything an iPhone user can do on their device and more," noted John Scott-Railton, a senior researcher at Citizen Lab.