Tech giant Apple on Tuesday said it has fixed the zero-day vulnerability that allowed Israeli spyware tool Pegasus to infect iPhones.
Cybersecurity firm Citizen Lab, which has been credited for discovering the vulnerability, urged users to download the update immediately.
“Today, September 13th, Apple is releasing an update that patches CVE-2021-30860. We urge everyone to immediately update all Apple devices,” the company said in a tweet.
The tech giant itself has confirmed the fix too.
“After identifying the vulnerability used by this exploit for iMessage, Apple rapidly developed and deployed a fix in iOS 14.8 to protect our users. We’d like to commend Citizen Lab for successfully completing the very difficult work of obtaining a sample of this exploit so we could develop this fix quickly,” Ivan Krstić, Apple’s head of security engineering, said in a statement.
“Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals. While that means they are not a threat to the overwhelming majority of our users, we continue to work tirelessly to defend all our customers, and we are constantly adding new protections for their devices and data,” he added.
The Pegasus spyware has been used, presumably by nation-state actors, in order to hack into devices owned by activists, politicians and journalists worldwide.
Earlier this year, The Wire reported that 161 people from India were targeted using the spyware tool.
The list included senior journalists, opposition leaders like Rahul Gandhi and public interest lawyer Prashant Bhushan.
Such personalities from Mexico, Azerbaijan, UAE and other countries too have been targeted using the tool.
The spyware tool allows hackers to record phone calls on a device, listen to their conversations using the phone’s microphones, record video using the camera, read text messages and emails, and more.
It was built by Israeli security firm NSO Group, which has said on multiple occasions that the tool is only sold to verified government organisations.
It exploited version 14.4 and 14.6 of Apple’s iOS software, which runs on the company’s iPhones.
Specifically, the tool exploited a vulnerability in Apple’s iMessage platform, which the company uses to deliver instant messaging services to its customers.