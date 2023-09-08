This is the latest episode in Apple's ongoing battle with commercial spyware vendor NSO Group.

Apple has released a security update that all iPhone and iPad users should download as soon as possible.

On Thursday afternoon, the company began rolling out iOS 16.6.1. The update addresses a zero-day vulnerability that, according to the University of Toronto's Citizen Lab, had been actively exploited by Israel's NSO Group to infect devices with its Pegasus spyware. "Processing a maliciously crafted image may lead to arbitrary code execution," Apple says of the vulnerability on its iOS 16.6.1 support page.

Citizen Lab first discovered the vulnerability, dubbed Blastpass, last week while examining the device of an individual associated with a "civil society organization with international offices" based out of Washington DC. "The exploit chain was capable of compromising iPhones running the latest version of iOS (16.6) without any interaction from the victim," the research group said. The exploit involved PassKit, a code suite Apple offers to developers who want to integrate Apple Pay features into their apps. Citizen Lab said it would share more information about the exploit in the future. According to Apple, iOS 16's Lockdown Mode is capable of blocking Blastpass.

"We encourage everyone who may face increased risk because of who they are or what they do to enable Lockdown Mode," Citizen Lab said. "We commend Apple for their rapid investigative response and patch cycle, and we acknowledge the victim and their organization for their collaboration and assistance."

This isn’t the first time Apple has had to issue an emergency update to address a vulnerability that the NSO Group had found in iOS. In 2022, the tech giant released iOS 15.6.1 to address two separate vulnerabilities. A year earlier, Apple even went so far as to sue the NGO Group in a bid to stop the spread of commercial spyware.