Apple on Thursday pushed out updates for older versions of its iOS and macOS operating systems, patching three zero-day vulnerabilities including a bug that was likely exploited in the wild by NSO Group's Pegasus spyware.
Earlier today, Apple issued iOS 12.5.5 with a fix for a CoreGraphics flaw that allows attackers to execute arbitrary code on a target device through maliciously crafted PDFs. The vulnerability may have been exploited in the wild, according to a support document detailing the update's security content.
Impacting a range of iPhone and iPad models, including iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and sixth-generation iPod touch, the CoreGraphics zero-day was discovered by Citizen Lab, an interdisciplinary laboratory at the University of Toronto's Munk School of Global Affairs. The group's involvement strongly suggests NSO deployed the exploit to bolster its Pegasus malware tool.
Citizen Lab has been following NSO and its impact on technology human rights and the global political landscape for years. Over the past few months, the initiative discovered multiple zero-day vulnerabilities tied to the Pegasus spyware, which is allegedly used by authoritarian governments to hack and surveil iPhones and other iOS devices used by journalists, activists, government officials and other persons of interest.
Pegasus is sometimes deployed as a zero-click attack. In August, it was reported that a so-called "ForcedEntry" attack vector was used to bypass Apple's new BlastDoor security protocols in Messages, allowing insertion of Pegasus on a Bahraini human rights activist's iPhone 12 Pro. Apple subsequently released a fix for impacted iOS 14 versions earlier in September. Separate attack vectors reportedly involved Photos and Apple Music.
The Citizen Lab discoveries brought public attention to the potential for abuse of Pegasus by government entities. In July, Israeli government officials visited the offices of NSO as part of an investigation into the spyware.