According to Citizen Lab, the new NSO Group exploit — dubbed BLASTPASS by the researchers — involves the attacker using an iMessage account to send their target messages that have malicious image files attached. Apple has today released an iPhone update, iOS 16.6.1, to address the exploit, so running a software update on your device as soon as possible is the first step to closing the loophole that Pegasus found for BLASTPASS. To do this, go to Settings -> General -> Software Update.
Apple has also released updates for iPad, Mac, and Apple Watch, which should also be installed as a matter of urgency.
“Processing a maliciously crafted image may lead to arbitrary code execution,” Apple said of the exploit, confirming that it “is aware of a report that this issue may have been actively exploited.” Specific to the ImageIO vulnerability described by Citizen Lab, Apple says it was a “buffer overflow issue was addressed with improved memory handling,” but also adds that a similar issue in Wallet was “[a] validation issue was addressed with improved logic.”
Most people are unlikely to be targets of NSO Group clients and should be fine with the new update. Those at “increased risk” should turn on the iPhone’s “Lockdown Mode,” Citizen Lab recommended, which is specifically designed to resist Pegasus-style mercenary malware attacks. To do this, go to Settings -> Privacy & Security -> Security –< Lockdown Mode -> Turn On Lockdown Mode -> Turn On Lockdown Mode (again) -> Turn On & Restart. After entering your device passcode, you’ll be good to go.