The University of Toronto’s Citizen Lab, which discovered the exploits, said it discovered these vulnerabilities while inspecting a device owned by a person “employed by a Washington DC-based civil society organization with international offices.” Those exploits, Citizen Lab’s announcement says, were used to inject the NSO Group’s Pegasus spyware — software that has been used to hack journalists, business executives, and activists in addition to the criminal suspects and terrorists it was ostensibly designed to be used against.
That may sound unsettling, and it certainly can be for certain people. But ordinary users who aren’t likely to be targets of state-sponsored spyware attacks don’t have as much to worry about. Even so, the Citizen Lab encourages “all users” to install the update anyway.
How to install the update
To install the update, open your iPhone or iPad’s Settings app, then tap “Software Update.” If you see a new update waiting for you with the version number 16.6.1, tap the “Download and install” to proceed.
On the off-chance you’re someone with a high-enough profile that even tighter security is warranted, you may want to consider trying Apple’s Lockdown mode. First released in IOS 16 last year, the feature — among other things — blocks certain kinds of message attachments, changes the way websites load to avoid potential vulnerabilities and bars people you haven’t been in contact with from being able to FaceTime you.
Apple calls it an “extreme” measure and is total overkill for the vast majority of users. That said, the University of Toronto’s Citizen Lab believes it could block attacks like these.
What if I don’t see an update?
If you don’t see an update waiting for you, it’s possible your phone already installed it. In the Settings app, tap “General,” then “About” — if you see 16.6.1 in the “iOS Version” field, you’re set.
There’s a good chance this is exactly what happened on your phone or iPad, too. Earlier this year, another Apple software update enabled an automatic update feature by default — all you have to do to make sure that new software like this security patch gets installed overnight is keep your device plugged in and connected to WiFi.