Researchers said the exploit, dubbed ForcedEntry, has been used to infect Apple devices with the Pegasus spyware.
Apple has released an update to address a security flaw affecting iPhones, iPads, Apple Watches and Macs.
All users are strongly urged to update to iOS 14.8, iPadOS 14.8, WatchOS 7.6.2 and MacOS Big Sur 11.6 immediately to ensure they are protected against the issue.
The exploit was discovered by internet research group CitizenLab, which said it was used by spyware company NSO Group to infect the phone of a Saudi Arabian human rights activists with Pegasus spyware.
CitizenLab said the exploit, which it is calling ForcedEntry, may have been used by NSO Group as early as February. It is a ‘zero-click’ exploit, meaning it does not require any user interaction for an attack to be successful. It targets iMessage and Apple’s image rendering code library.
ForcedEntry is significant in that it affects all Apple devices and that it’s capable of circumventing the iMessage security system introduced in iOS 14, called BlastDoor, according to researchers.
CitizenLab delivered its findings on the issue to Apple on 7 September, and the company released the set of updates yesterday (13 September).
Documentation for the updates says that they also fix a separate vulnerability in Apple’s browser engine WebKit, which “may have been actively exploited”.
In a statement, Ivan Krstić, Apple’s head of security engineering and architecture, said: “After identifying the vulnerability used by this exploit for iMessage, Apple rapidly developed and deployed a fix in iOS 14.8 to protect our users.
“We’d like to commend Citizen Lab for successfully completing the very difficult work of obtaining a sample of this exploit so we could develop this fix quickly. Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals.”
He continued: “While that means they are not a threat to the overwhelming majority of our users, we continue to work tirelessly to defend all our customers, and we are constantly adding new protections for their devices and data.”
NSO Group’s Pegasus software has been used by authoritarian governments around the world to target journalists and activists. Toronto-based CitizenLab recently said that the phones of nine Bahraini activists were hacked between June 2020 and February 2021 using NSO Group spyware.