The flaw, disclosed Monday by Citizen Lab, allowed a hacker using NSO’s malware Pegasus to gain access to a device owned by a Saudi activist, according to security researchers.
Apple Inc. said it patched a security flaw in the Messages app across all of its major devices that security researchers say was actively exploited by Israel-based NSO Group.
The flaw, disclosed Monday by Citizen Lab, allowed a hacker using NSO’s malware Pegasus to gain access to a device owned by a Saudi activist, according to security researchers. Apple said the flaw could be exploited if a user on a vulnerable device received a “maliciously crafted” PDF file.
The malware didn’t require victims to engage with the file. Receiving it was enough to infect their devices, according to a report released by Citizen Lab, a cyber-research unit of the University of Toronto.
“Apple is aware of a report that this issue may have been actively exploited,” the iPhone maker said on its website.
Apple is patching the bug on the iPhone, iPad, Mac, and Apple Watch via iOS 14.8, iPadOS 14.8, macOS 11.6 and watchOS 7.6.2 software updates. The software releases came the day before Apple’s Sept. 14 product launch event, which will likely spur the release of iOS 15, Apple’s next major software update that will contain additional security protections.
“NSO Group will continue to provide intelligence and law enforcement agencies around the world with life saving technologies to fight terror and crime,” the company said in a statement.
The NSO Group has been the subject of repeated criticism by Citizen Lab and other organizations after its spyware has been discovered on the phones of activists and journalists critical of repressive regimes. NSO Group has insisted that the spyware is intended to be used to fight terrorism and crime, not to aid in human rights abuses.
Apple shares were little changed in extended trading after closing at $149.55 in New York.