Apple discloses zero-days linked to NSO Group spyware

Editor's note, 4:15 p.m. ET: This story has been updated with information from Citizen Lab.

Apple released software updates on Thursday to address two zero-day vulnerabilities that researchers said were used to deliver NSO Group’s Pegasus spyware to at least one victim.

Cybersecurity researchers at the Citizen Lab at The University of Toronto said that all users of Apple devices should update their operating systems immediately to fix the bugs.

"Last week, while checking the device of an individual employed by a Washington DC-based civil society organization with international offices, Citizen Lab found an actively exploited zero-click vulnerability being used to deliver NSO Group’s Pegasus mercenary spyware," the researchers said.

Read more: Polish Senate investigation recommends potential criminal charges for politicians implicated in Pegasus scandal

"The exploit chain was capable of compromising iPhones running the latest version of iOS (16.6) without any interaction from the victim," the researchers said.

One bug, tracked as CVE-2023-41064, allowed devices — including some iPhones, iPads, Macs, and Apple Watches — to become vulnerable to attack when processing “a maliciously crafted image,” Apple said. It affects the Image I/O framework, specifically.

The other vulnerability, CVE-2023-41061, similarly creates security issues if a device is sent a “maliciously crafted attachment.” That bug arose in the company’s Wallet function.

In both cases, Apple said it was “aware of a report that this issue may have been actively exploited.” Apple declined to comment more about the bugs.

Citizen Lab said it had "immediately disclosed our findings to Apple and assisted in their investigation."

The software updates apply to macOS Ventura, iOS, iPadOS and watchOS. The patches were made available as part of regular updates to those products. They were not labeled as a Rapid Security Response — the term Apple uses for bug fixes issued urgently between full OS updates.

With the disclosure of those two vulnerabilities, the company has now patched 13 zero-days in 2023.

Since it was first developed in 2011, Pegasus has been used across the globe, often by governments spying on their citizens. It has been deployed to target assassinated Saudi journalist Jamal Khashoggi, members of the Catalan independence movement and human rights investigators in Mexico.

In recent years, regulators have attempted to prevent its spread, with the European Parliament urging EU member nations to ban it. U.S. President Joe Biden signed an executive order earlier this year blocking the use of commercial spyware by the government.

It's not the first time this year Apple has disclosed zero-days reportedly used in spyware campaigns: Two bugs fixed in June were exploited in a campaign that the Russian government blamed on the U.S.

A separate Rapid Security Response in July required a redo by Apple after the first version of the patch prevented some websites from displaying properly.