All Apple users need to update their iPhones, iPads, Apple Watches, and Mac PCs and laptops immediately to save themselves from a zero-click, zero-day vulnerability in the iMessage app that is actively being used to install the NSO Group’s Pegasus spyware.
I realise there’s a lot to unpack there, so first, let’s quickly explain what this vulnerability is and why it’s so serious. Then we’ll cover which updates you need to install right now to keep your devices and your data safe.
On Monday, security researchers at the University of Toronto’s Citizen Lab published a report claiming the Israel-based cybersecurity outfit NSO Group used a “zero-day, zero-click” exploit in the iMessage app’s code (now known as CVE-2021-20860, aka “FORCEDENTRY”) to infect a Saudi activist’s phone with Pegasus — a comprehensive spyware program that can track all activity on a victim’s device and which leaves practically no trace it has been installed on a device.
Normally, the affected user would have to download a malicious file, click a link, or install an infected app for a hacker to remotely install malware like Pegasus, but the Citizen Lab says NSO Group used the iMessage bug to send a totally invisible message laced with the malware to the activist’s phone, and Pegasus installed itself automatically. The activist never saw the message or knew Pegasus was installed, and didn’t have to interact with any malicious files to trigger the attack — hence why it’s called a “zero-click” exploit.
Apple immediately acknowledged and documented the bug following the report, then issued emergency security updates for the affected devices.
Installing the new patches is the only way to fix the bug. While it’s exceedingly unlikely NSO Group would target the average Apple user, the bug is now a proven vector that any hacker with the right skills could exploit — so go download and install the latest security patch for every Apple device you own right now.
iPhone, iPad, and Apple Watch users can start the download under Settings > General > Software Update. Mac updates are available in the Apple menu under System Preferences > Software Update.
You will want to be on the following firmware versions to make sure the vulnerability is closed:
macOS Big Sur 11.6
Additionally, macOS Catalina users need to install security update 2021-005. You can see a list of the latest security updates in the Apple Menu under About This Mac > Overview > System Report > Software > Installations.