NORTH TEXAS (CBSDFW.COM/AP) - Important news for owners of Apple tech products -- the company has released a critical software patch to fix a security vulnerability that researchers said could allow hackers to directly infect iPhones and other Apple devices without any user action.
Researchers at the University of Toronto's Citizen Lab said the flaw was exploited to plant spyware on a Saudi activist's iPhone, and warned that it could allow hackers to similarly infect other Apple devices without any user action.
The researchers said the flaw was exploited by the world's most infamous hacker-for-hire firm, Israel's NSO Group; the company responded with a one-sentence statement saying it will continue providing tools for fighting "terror and crime."
The previously unknown vulnerability affected all major Apple devices — iPhones, Macs and Apple Watches, the researchers said. NSO Group responded with a one-sentence statement saying it will continue providing tools for fighting "terror and crime."
It was the first time a so-called "zero-click" exploit — one that doesn't require users to click on suspect links or open infected files — has been caught and analyzed, the researchers said. They found the malicious code on Sept. 7 and immediately alerted Apple. The targeted activist asked to remain anonymous, they said.
In a blog post, Apple said it was issuing a security update for iPhones and iPads because a "maliciously crafted" PDF file could lead to them being hacked. It said it was aware that the issue may have been exploited and cited Citizen Lab.
In a subsequent statement, Apple security chief Ivan Krstić commended Citizen Lab and said such exploits "are not a threat to the overwhelming majority of our users." He noted, as he has in the past, that such exploits typically cost millions of dollars to develop and often have a short shelf life. Apple didn't respond to questions regarding whether this was the first time it had patched a zero-click vulnerability.
Users should get alerts on their iPhones prompting them to update the phone's iOS software. Those who want to jump the gun can go into the phone settings, click "General" then "Software Update," and trigger the patch update directly.
Citizen Lab called the iMessage exploit FORCEDENTRY and said it was effective against Apple iOS, MacOS and WatchOS devices. It urged people to immediately install security updates.
(© Copyright 2021 CBS Broadcasting Inc. All Rights Reserved. The Associated Press contributed to this report.)
for more features.