Citizen Lab said the vulnerability would give hackers access to a device without the victim even clicking anything.
Apple has released an urgent security update for Mac, iPhone, iPad and Watch users after researchers with Citizen Lab discovered a zero-day, zero-click exploit from mercenary spyware company NSO Group that gives attackers full access to a device’s camera, microphone, messages, texts, emails, calls and more. Citizen Lab said in a report that the vulnerability — tagged as CVE-2021-30860 — affects all iPhones with iOS versions prior to 14.8, all Mac computers with operating system versions prior to OSX Big Sur 11.6, Security Update 2021-005 Catalina and all Apple Watches prior to watchOS 7.6.2. Apple added that it affects all iPad Pro models, iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch 7th generation. CVE-2021-30860 allows commands to be executed when files are opened on certain devices. Citizen Lab noted that the vulnerability would give hackers access without the victim even clicking anything. Citizen Lab previously showed that repressive governments in Bahrain, Saudi Arabia and more had used NSO Group tools to track government critics, activists and political opponents. John Scott-Railton, a senior researcher at Citizen Lab, spoke out on Twitter to explain what he and Citizen Lab senior research fellow Bill Marczak found and reported to Apple. They found that the vulnerability has been in use since at least February. Apple credited them with discovering it. “Back in March my colleague Bill Marczak was examining the phone of a Saudi activist infected with Pegasus spyware. Bill did a backup at the time. A recent a re-analysis yielded something interesting: weird looking ‘.gif’ files. Thing is, the ‘.gif’ files…were actually Adobe PSD & PDF files…and exploited Apple’s image rendering library. Result? Silent exploit via iMessage. Victim sees *nothing,* meanwhile Pegasus is silently installed and their device becomes a spy in their pocket,” Scott-Railton explained. “NSO Group says that their spyware is only for targeting criminals and terrorists.
