Apple has fixed a zero-click, zero-day vulnerability in its iMessage software that could allow attackers to gain control of the device. The vulnerability was reportedly being exploited by the NSO Group, an Israeli hacker-for-hire collective, who used the vulnerability to install their Pegasus spyware on Apple devices belonging to specific targets.
So let’s unpack what all of that actually means.
Zero-click.
A zero-click vulnerability is a vulnerability in software that can be successfully exploited by crooks without the need for meaningful interaction by the target. These are the most serious of vulnerabilities.
Most online attacks will require a victim to do something they shouldn’t do. For example, agree to download a file, open an email attachment or click a link and enter sensitive details on a spoof website. The most challenging aspect for any online crook is tricking the victim into doing these things.
Zero-click vulnerabilities do not require this amount of interaction. A victim can become a victim even if they follow good security advice. This is why zero-click vulnerabilities are particularly serious. They’re exploiting a vulnerability in the software, and not trying to trick a victim into doing something they shouldn’t, like most online attacks.
Sponsored Content. Continued below...
Zero-day.
Most of our regular readers will know what a zero-day vulnerability is. It refers to any vulnerability being used by crooks to target victims before the developers have a chance to fix the vulnerability. More information on zero-day can be found here.
So, a zero-click, zero-day vulnerability is a vulnerability being actively used by crooks (or other bad actors) that the developer (in this case, Apple) didn’t know about at the time, and required the target to have little-to-no-interaction with their device to find themselves a victim.
In this case, the vulnerability targeted the iMessage facility on iPhones, iPads and Macs. The crooks were able to send a victim specially crafted files via iMessage that could mimic GIF images (those animated images we often see online) but were actually files capable of crashing a device and rendering it susceptible to malware. The target need only open a chat message to become a victim.
Sponsored Content. Continued below...
The attack was discovered in the wild by Citizen Lab who analysed the phone of a Saudi activist who had been targeted by the NSO Group, who installed the Pegasus spyware on their device. It is thought that all of the latest Apple phones are vulnerable to this type of attack, which Citizen Lab believe has been used since February 2021.
The likelihood of the average reader being targeted using this vulnerability is small, since only the NSO Group has been known to actively exploit it, and they are associated with targeting very specific victims, often political dissidents or influencers. But it is still recommended you update all of your Apple devices as soon as you can.