Pegasus: Apple Releases Security Update to Protect Against 'Zero-Click' Vulnerability

The vulnerabilities have reportedly been present since at least February of this year and were discovered by Canadian cybersecurity organisation Citizen Lab.

New Delhi: Apple on Monday rolled out a series of software updates for its products to protect against a critical vulnerability which could allow Pegasus, the NSO Group’s military-grade spyware, unfettered access to users iPhones, iPads, Apple Watches or Macs without so much as a click, the New York Times reported.

The vulnerabilities had been revealed by Citizen Lab, a cybersecurity organisation in the University of Toronto, while analysing a Saudi activist’s iPhone which had been infected with the Pegasus spyware.

Also read: Pegasus: Centre Tells SC It Doesn’t Want to File Affidavit Over ‘National Security Concerns’

Citizen Lab has dubbed this particular exploit ‘FORCEDENTRY’ and described it as a “zero-day zero-click exploit against iMessage”, Apple’s exclusive messaging app. 

A zero-day exploit is named as such since it gives companies zero days to fix it and zero-click refers to the malware’s ability to infect a target device without any input from device’s user; it can install itself without a user ever clicking on a malicious link or file.

The cybersecurity organisation, in a blog post on September 13, said that it believes FORCEDENTRY to have been in use since February, 2021 and urged users to “immediately update their Apple devices.” Details regarding their discovery of the exploit in March of this year are available on the blog post.

The latest versions of Apple software which users have been advised to download and install are iOS 14.8, MacOS 11.6 and WatchOS 7.6.2.

Apple commended Citizen Lab for making the discovery and went on to note that, “Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life and are used to target specific individuals,” as reported by AFP.

A Pegasus infection allows the attacker total access to a target’s device, allowing them to turn on the camera and microphone, record calls and texts and access all the data on the device.

The use of the spyware came to light earlier this year as a result of the Pegasus Project, a collaborative investigation by The Wire and 16 other international media organisations, coordinated by Forbidden Stories and provided with technical support from Amnesty International’s Security Lab.

Apple’s move doesn’t look great for the Indian government – which just yesterday in the Supreme Court dismissed Citizen Lab’s research. “I have reservations about the report [referring to Citizen Lab’s work],” the solicitor general had said in the court. However, with Apple itself releasing an update to do away with the vulnerability found by Citizen Lab, it is the Union government’s claim that may give rise to reservations.