Apple has patched a security flaw with today’s release of iOS 14.8, iPadOS 14.8, watchOS 7.6.2 and macOS 11.6.
The flaw was discovered by Citizen Lab—a cyber research arm of the University of Toronto—was detailed on Monday, involving the company’s Messages app.
“Processing a maliciously crafted PDF may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited,” said the iPhone maker’s document on the patches fixed today.
Citizen Lab said the flaw allowed Israel’s NSO Group to use its malware Pegasus to exploit Apple devices. Just by receiving the PDF, victims could have their phones compromised. The security flaw was used by the Pegasus malware to obtain access to a Saudi activist’s Apple device, said Citizen Lab.
“NSO Group will continue to provide intelligence and law enforcement agencies around the world with life saving technologies to fight terror and crime,” the company said in a statement, reported Bloomberg. The Israeli firm has been criticized numerous times by cyber researchers for its role in assisting regimes break into journalist and activist phones.
Apple says Messages exploit “not a threat to the overwhelming majority of our users” and that it is working on new protections. It also thanks Citizen Lab for obtaining a sample of the exploit and its help fixing the issue. https://t.co/aC6Yk28KzV pic.twitter.com/J0iI1egIVm
— Mark Gurman (@markgurman) September 13, 2021
Update Sept. 12: You can read Apple’s statement on the matter above as per @MarkGurman.