Apple today quietly updated the list of security fixes that were introduced in iOS 18.3.1, noting a previously undisclosed fix for a zero-day vulnerability affecting the Messages app.Apple acknowledged the fix after security researchers from The Citizen Lab shared details on the flaw, which had been used to target two European journalists.The Messages vulnerability was exploited with the "Graphite" mercenary spyware created by Paragon.
Paragon's spyware has been used in targeted attacks against journalists and human rights activists across multiple platforms.According to Apple, a maliciously crafted photo or video shared through an iCloud link led to a logic issue that allowed for the infiltration of targeted devices.Apple's release notes say that it "is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals." Apple confirmed to The Citizen Lab that it fixed the vulnerability back when iOS 18.3.1 was released in February, but it is not clear why Apple did not disclose it before today.
