Apple warns of two exploited security flaws

Apple released software updates Thursday that patch two recently discovered, critical security bugs that hackers have already exploited.

Why it matters: The patches fix a set of vulnerabilities that researchers say helped controversial firm NSO Group install its Pegasus spyware onto a person's phone without being noticed.

Details: Apple patched a pair of issues that allowed NSO Group to surreptitiously infect a target's phone with the malicious spyware.

• One of the security flaws was in iOS's Image I/O framework, which allows applications to read and write most image files. If someone sent a malicious image to a victim's phone, a flaw in the I/O framework gave the intruder the ability to execute new code on the device.
• The other flaw was in Apple Wallet. An attacker sending a "maliciously crafted attachment" could also have given attackers code execution abilities.
• The update is available for iPhone 8 and later models, as well as most available iPad models and macOS Ventura systems.

The intrigue: Researchers at the University of Toronto's Citizen Lab uncovered the vulnerabilities while inspecting a phone belonging to an individual who works at a Washington, D.C.-based civil society organization.

• Citizen Lab immediately disclosed its findings to Apple, which rushed out a patch.

• It's unclear how many people have been affected by this exploit, but Citizen Lab said in a blog post that it plans to release more details.

What they're saying: "We commend Apple for their rapid investigative response and patch cycle, and we acknowledge the victim and their organization for their collaboration and assistance," Citizen Lab wrote in the blog post.

Be smart: iPhone users are highly encouraged to install these software updates immediately to avoid a hack.

• Citizen Lab also recommends that high-risk groups, such as journalists, government officials and dissidents, turn on the iPhone's Lockdown Mode feature.

Sign up for Axios' cybersecurity newsletter Codebook here