Apple Issues Urgent iPhone Software Update to Address Critical Spyware Vulnerability

Sep 24, 2021 • NewsAppleCyber SecurityDigital TransformationSoftware and AppsGLOBALSYNOPSYSCYBEREASON

Tim Mackey, principal security strategist at the Synopsys Cybersecurity Research Centre, and Sam Curry, chief security officer at Cybereason, comment on the news that Apple has updated its software for iPhones to address a critical vulnerability.

It has been reported that Apple has updated its software for iPhones to address a critical vulnerability that independent researchers say has been exploited by notorious surveillance software to spy on a Saudi activist. Researchers from the University of Toronto's Citizen Lab said the software exploit has been in use since February and has been used to deploy Pegasus, the spyware made by Israeli firm NSO Group that has allegedly been used to surveil journalists and human rights advocates in multiple countries.


The urgent update that Apple released yesterday plugs a hole in the iMessage software that allowed hackers to infiltrate a user's phone without the user clicking on any links, according to Citizen Lab. The Saudi activist chose to remain anonymous, Citizen Lab said.

Commenting on this, Tim Mackey, principal security strategist at the Synopsys Cybersecurity Research Centre, said "Zero-click software or apps should be a high concern for any mobile device user. This class of software doesn’t require any interaction by the user, so no explicit download and no explicit consent is granted. While there are legitimate uses for this class of software, the secretive nature of the installation makes it particularly appealing to malicious or criminal groups. The only real path for end users to defend against such software is to keep on top of all operating system updates, vendor updates, and maintain an up to date anti-malware solution."

Sam Curry, chief security officer at Cybereason, added "Monday’s emergency software updates for a critical vulnerability discovered in iPhones, Apple Watches and Macs, shouldn't be cause for panic. Yes, this newest Pegasus spyware delivery mechanism is novel, invasive and can easily infect billions of Apple devices, but stay calm and simply get control of your device and download the software updates available from Apple. Do that and move on. Follow Apple's instructions if you think you are infected and consult your IT department at work, school, etc. Failing that, Apple’s Genius Bar will be able to help. With nearly 2 billion iPhone active around the world, 100 million Apple Watches being used and more than 100 million Macs, security can’t be a luxury for Apple and it’s not, it’s a responsibility they take seriously.

This type of software is generally a scourge. This specific package has been known a while. What's novel is the subtle installation. These have happened in the past and should be a top priority to identify and fix for any vendor. Relating to Apple security, failing is OK. Failing consistently is not. Let's see how Apple addresses this. They are a generally more secure platform, but they must continue to invest and demonstrate commitment going forward. The most secure platform in the world can be cracked given time unless the security is maintained. An incident or two are not a cause for pitchforks and torches to come out. That comes later if things recur or are dealt with in a cavalier manner."

Further Reading: