Apple’s Emergency Software Update to Fix a Severe Security Vulnerability Used to Install Pegasus

Apple has released a critical security update,16.6.1, for iPhones to address a zero-day vulnerability in iOS 16, that could potentially allow attackers to remotely install spyware on a device without any interaction from the iPhone owner. The discovery of this exploit was made by Citizen Lab, a research group focused on spyware, which promptly informed Apple about it.

This zero-click zero-day exploit was used to install the Pegasus spyware from NGO Group onto an iPhone belonging to an employee of a civil society organization based in Washington, DC.

Citizen Lab has not provided a detailed breakdown of the vulnerability for security reasons, but it does involve PassKit attachments, which are associated with Apple Pay and Wallet, containing malicious images sent via iMessage. Pegasus allowed users to send attachments via iMessage with hidden code to unsuspecting victims—what Citizen Lab refers to as BLASTPASS—that then allowed the spyware to take over the device’s functions “without any interaction from the victim,” according to the Citizen Lab statement.

In response to this discovery, Apple has swiftly released iOS 16.6.1, while NSO told Reuters it didn’t have an immediate comment regarding the Citizen Lab research.