Apple has released an emergency patch to protect older iPhones and Macs from last week’s newly discovered spyware attack, which has been traced to NSO Group, a notorious surveillance dealer.
On Monday, the company released the patches through an iOS 15.7.9 update that covers devices including the iPhones 6s, iPhone 7, and iPhone SE models, plus the iPad Air 2. In addition, Apple is pushing a patch for macOS Big Sur and Monterey meant for Mac models dating back to 2013.
The patches are designed to protect the products from the vulnerability CVE-2023-41064, which Apple warned last week is being actively exploited. The flaw can allow a hacker to send a booby-trapped image to trigger an iPhone, iPad, or Mac to run rogue computer code, like potentially downloading malware or visiting a malicious website.
A watchdog group called Citizen Lab discovered the vulnerability while checking the device of “an individual employed by a Washington, D.C.-based civil society organization with international offices.” The investigation revealed the device had been infected with spyware from NSO Group, an Israeli company that sells its surveillance programs to foreign government and law enforcement groups.
“The exploit chain was capable of compromising iPhones running the latest version of iOS (16.6) without any interaction from the victim,” Citizen lab added. “The exploit involved PassKit attachments containing malicious images sent from an attacker iMessage account to the victim.”
The vulnerability is so powerful that security experts everywhere are encouraging Apple users to patch their devices as soon as possible. On Monday, US cyber agency CISA issued its own warning, saying “these types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.”
The latest software updates join several patches Apple released last Thursday to protect the latest iPhones, iPads, Macs, and Apple Watches from the threat. During the investigation, Apple also discovered a second vulnerability, dubbed CVE-2023-41061, that can be exploited to manipulate the Wallet app to run rogue computer code if iOS processes a “malicious crafted attachment.”
Users can patch their iPhones by going to Settings > General > Software Update. The device can also patch itself automatically if you’ve switched on automatic updates.
NSO Group didn't immediately respond to a request for comment.