Apple releases update fixing NSO spyware vulnerabilities

Get a free Techzine subscription!

The vulnerabilities affects Macs, iPhones, iPads and Watches.

Apple released an urgent and critical security update for Mac, iPhone, iPad and Watch. The update comes after researchers with Citizen Lab discovered a zero-day, zero-click exploit from mercenary spyware company NSO Group.

The spyware gives attackers full access to a device’s camera, microphone, messages, texts, emails, calls and more.

Citizen Lab said in a report that the vulnerability affects all iPhones with iOS versions prior to 14.8. It also hits all Mac computers with operating system versions prior to OSX Big Sur 11.6, Security Update 2021-005 Catalina. The threat also affects all Apple Watches prior to watchOS 7.6.2. They tagged the flaw as CVE-2021-30860.

Apple also confirmed that CVE-2021-30860 affects all iPad Pro models. It also affects iPad Air 2 and later and iPad 5th generation and later. The iPad mini 4 and later and iPod touch 7th generation are also on the list of devices at risk.

Users don’t even have to click anything

The flaw allows commands to be executed when files are opened on certain devices. Citizen Lab noted that the vulnerability would give hackers access without the victim even clicking anything. Citizen Lab previously showed that repressive governments have used NSO Group tools to track government critics, activists and political opponents. 

Ivan Krstić, head of Apple Security Engineering and Architecture, told ZDNet that after identifying the vulnerability used by this exploit for iMessage, Apple “rapidly developed and deployed a fix in iOS 14.8 to protect our users.” “We’d like to commend Citizen Lab for successfully completing the very difficult work of obtaining a sample of this exploit so we could develop this fix quickly.”

Krstić added that such attacks are “highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals.”

“While that means they are not a threat to the overwhelming majority of our users, we continue to work tirelessly to defend all our customers, and we are constantly adding new protections for their devices and data.”