Apple fixes zero-day vulnerability that installs Pegasus spyware with iOS 16.6.1

Apple has released iOS version 16.6.1. This must resolve a vulnerability that allows Pegasus spyware to be installed remotely. According to research institute The Citizen Lab, the exploit is being actively exploited.

Citizen Lab said it discovered a zero-day vulnerability last week that allows attackers to remotely install spyware on iPhone devices running the 16.6 version of iOS. The research institute claims it discovered this exploit after finding Pegasus spyware on the phone of an employee of “a civil society organization.”

Citizen Lab says it immediately reported the vulnerability to Apple. That company has with iOS version 16.6.1 now patched. The research institute urges everyone to install these as soon as possible.

How exactly the exploit could be exploited is not mentioned. Citizen Lab does say that it did not require any interaction from the victim. It is also reported that the attacker used PassKit attachments containing infected images, which were sent to the victim via iMessage. According to Citizen Lab, users were those the isolation mode of the iPhone had not been vulnerable to the exploit.

Pegasus is spyware that allows attackers to obtain all kinds of data from an infected phone, including messages, photos, videos and audio recordings. The NSO Group’s spy software has been under fire for some time. The spyware is said to have been used, among other things, to eavesdrop on journalists and human rights activists worldwide, as several media organizations discovered in 2021 in collaboration with Amnesty International and Forbidden Stories.