Security experts and government officials alike are encouraging Apple users to patch a dangerous vulnerability in iOS, iPadOS, macOS, and even watchOS, that's being exploited in the wild and could infect a device without the user clicking on anything.

The updates resolve two vulnerabilities, CVE-2021-30860, last month's FORCEDENTRY zero click zero day against iMessage, uncovered by Citizen Lab, and CVE-2021-30858, an arbitrary code execution bug in WebKit. While the latter is present across iPhones, iPads, Apple Watches and macOS devices, the former is only present in iOS, iPhones, iPads, and macOS devices.

According to Citizen Lab, which researches human rights violations on behalf of the University of Toronto’s Munk School of Global Affairs & Public Policy, the FORCEDENTRY vulnerability, CVE-2021-30860, was being used by NSO Group's Pegasus Spyware to break Apple devices.

Citizen Lab said in a blog this week that it discovered the spyware in March after reviewing a Saudi activist's iPhone. As the New York Times notes, since FORCEDENTRY has been around since February 2021, it’s possible that 1.65 billion Apple products have been vulnerable since that time.

Citizen Lab first warned of the exploit in August stressing that it, along with KISMET, a 2020 exploit, was used to target Bahraini activists with Pegasus between June 2020 and February 2021.

Without the user being any the wiser, the spyware can turn on a user's camera and microphone, record messages, texts, emails, calls, and send them back to NSO clients. Citizen Lab has previously provided evidence that many of the NSO Group's clients include governments including Morocco, Azerbaijan, Bahrain, Saudi Arabia, and Pakistan, just to name a few.

Pegasus is interesting for many reasons, one of them being that it sidesteps BlastDoor, a sandbox security system in place in iMessage designed to thwart attacks like this.

Apple reportedly worked diligently over the last week to push a fix; Citizen Lab claims it forwarded artifacts related to the Saudi activist exploit chain – the vulnerability technically exploits an integer overflow in CoreGraphics, Apple's image rendering library - last Tuesday, September 7. That was after it previously forwarded crash and phone logs relating to KISMET and FORCEDENTRY back in August.

Ivan Krstić, head of Apple Security Engineering and Architecture, acknowleged the fix in a statement circulated to the press on Monday but downplayed the exploit’s impact on the everyday iPhone and MacBook user.

“After identifying the vulnerability used by this exploit for iMessage, Apple rapidly developed and deployed a fix in iOS 14.8 to protect our users. We’d like to commend Citizen Lab for successfully completing the very difficult work of obtaining a sample of this exploit so we could develop this fix quickly,” Krstić said. “Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals. While that means they are not a threat to the overwhelming majority of our users, we continue to work tirelessly to defend all our customers, and we are constantly adding new protections for their devices and data.”

Citizen Lab urged Apple users to update all iOS devices prior to 14.8, macOS machines prior to OSX Big Sur 11.6, and Apple Watches prior to watchOS 7.6.2. The Department of Homeland Security's Cybersecurity and Infrastructure Security Agency echoed that recommendation on Monday, reiterating the importance of fixing the bugs.

Details about CVE-2021-30858, other than it impacts Safari’s WebKit browser engine and has been abused in the wild, aren’t widely known but the fact that it pushed a fix for the CVE this week suggests its just as, if not more critical, than the FORCEDENTRY exploit.