An anonymous reader cites a TechCrunch report: Apple released Thursday security updates that fix two zero-day exploits — that is, hacking techniques unknown at the time Apple became aware of them — used against a member of a civil society organization in Washington, D.C., according to researchers who discovered the vulnerabilities. Citizen Lab, an internet monitoring group that investigates government malware, published a short blog post explaining that last week they discovered a zero-click vulnerability – meaning the hackers’ target does not need to tap or click on anything, such as an attachment – used to target victims with malware.
Researchers said the vulnerability was used as part of an exploit chain designed to distribute NSO Group’s malware, known as Pegasus. “The exploit chain was capable of compromising iPhones running the latest version of iOS (16.6) without any interaction from the victim,” Citizen Lab wrote. Once the vulnerability was found, researchers reported it to Apple, which released a patch on Thursday, thanking Citizen Lab for reporting them. Based on what Citizen Lab wrote in the blog post and the fact that Apple also patched another vulnerability and attributed its discovery to the company itself, it appears that Apple discovered the second vulnerability in investigating the first. Citizen Lab researcher John Scott-Railton says Apple’s Lockdown mode would have blocked the exploits discovered in this case. Lockdown Mode is an opt-in feature introduced in iOS 16 that gives users the option to temporarily disable or limit features for security reasons. According to Appleit “should only be used if you believe you are the target of a very sophisticated cyberattack, such as by a private company developing state-sponsored mercenary spyware.”