Apple Quietly Fixed Zero-Day Exploit Used in Paragon Spyware Attack

[MacRumors]

Apple today quietly updated the list of security fixes that were introduced in iOS 18.3.1, noting a previously undisclosed fix for a zero-day vulnerability affecting the Messages app.

Apple acknowledged the fix after security researchers from The Citizen Lab shared details on the flaw, which had been used to target two European journalists. The Messages vulnerability was exploited with the "Graphite" mercenary spyware created by Paragon. Paragon's spyware has been used in targeted attacks against journalists and human rights activists across multiple platforms.

According to Apple, a maliciously crafted photo or video shared through an iCloud link led to a logic issue that allowed for the infiltration of targeted devices. Apple's release notes say that it "is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals."

Apple confirmed to The Citizen Lab that it fixed the vulnerability back when iOS 18.3.1 was released in February, but it is not clear why Apple did not disclose it before today.

Note: Due to the political or social nature of the discussion regarding this topic, the discussion thread is located in our Political News forum. All forum members and site visitors are welcome to read and follow the thread, but posting is limited to forum members with at least 100 posts.

Article Link: Apple Quietly Fixed Zero-Day Exploit Used in Paragon Spyware Attack

 

[aloysiusfreeman]

Great to see a US-backed company working on surveilling journalists and activists.

Can't wait to see the feds using this on us

 

[russell_314]

Great to see a US-backed company working on surveilling journalists and activists.

Can't wait to see the feds using this on us

Nothing new. The US government has been using private companies and NGO’s for years or likely decades to do their dirty work. The US government might not be allowed to censor or spy on citizens, but they can have a private organization do it for them.

 

[foobarbaz]

Great to see a US-backed company working on surveilling journalists and activists.

Can't wait to see the feds using this on us

That’s probably actually something not related to the current political climate in the US.

Paragon is just making big money by turning a blind eye who it sells its software to, just like it always has.

Who knows. It could even be some European government doing this. They have been caught in the past.

But it should really trigger your ethics, when you see your software used this way. Again and again.

 

[Plutonius]

It's good to see that Apple addressed this exploit. Unfortunately, the next exploit will probably hit soon if it already hasn't .

 

[russell_314]

Apple today quietly updated

Are they usually loud about updates? This makes it sound like Apple secretly did an update without letting users know.

 

[svish]

Hopefully such problems do not occur. Good to see that vulnerability has been fixed.

 

[now i see it]

these zero day exploits have occurred occasionally on iOS since the beginning. Theres no reason to think that other ones won't be coming down the pipeline in the future also

 

[SeaFox]

Are they usually loud about updates? This makes it sound like Apple secretly did an update without letting users know.

More likely trying to not create a new news cycle about the original exploit. They fixed the issue but left it out of the release notes initially, because of course people are going to be looking at those release notes when an update is brand new. Then once most people have the update and interest has died down, update them so it's on record in case anyone says "there was this exploit and Apple never patched it".

 

[mozumder]

Apple really needs to let people know there are zero-day exploits in the wild ASAP. In the current political climate, a LOT of people are going to need protection against government intrusion. Perhaps a good 50% of the population.

 

[spegahsheen]

Who knows. It could even be some European government doing this. They have been caught in the past.

The issue is currently at the center of the Italian media debate, since the journalists and activists intercepted are Italian.

 

[Reverend Benny]

Apple really needs to let people know there are zero-day exploits in the wild ASAP. In the current political climate, a LOT of people are going to need protection against government intrusion. Perhaps a good 50% of the population.

Apple strongly recommend people to update on nearly every update that has security fixes. Still people ignore these recommendations.

 

[mozumder]

Apple strongly recommend people to update on nearly every update that has security fixes. Still people ignore these recommendations.

I’ve never seen a notification pop up on my iPhone telling me there’s an emergency zero-day hack that needs to be fixed immediately with a software update. Have you?

I turn off most notifications though cause too much spam, so maybe they do announce them?

 

[klasma]

I wish MacRumors would quietly fix their bug image.

 

[ThailandToo]

Nothing new. The US government has been using private companies and NGO’s for years or likely decades to do their dirty work. The US government might not be allowed to censor or spy on citizens, but they can have a private organization do it for them.

Just like Apple. I am sure Snowden didn’t make everything up. I also believe the Bloomberg report about China installing chips on Apple’s servers was probably legitimate; why would Apple admit to it? Their whole business model is made in China with slave labor. Funny thing is people believe the marketing hype about Apple caring about our privacy - AAPL cares about the illusion of our privacy.

 

[makeitrainnaren]

Great to see a US-backed company working on surveilling journalists and activists.

Can't wait to see the feds using this on us

Yup, been going on for years. Paragon, Pegasus, NSO group are all startups from our “greatest ally,” and they sell the software to countries like Saudi Arabia, India, and regularly all test their tech on Palestinians to market it as, “battle tested.” Countless mercenary groups from Russia, and private military contractors use their tools to assassinate journalists, lawyers, and activists especially in Yemen.

This technology is already being used against us- police departments and the FBI have been buying cellebrite and other software for years, and if you’re suspected of having ties to anyone who’s on the “bad guy list,” you lose your privacy rights and can be surveilled.

 

[russell_314]

More likely trying to not create a new news cycle about the original exploit. They fixed the issue but left it out of the release notes initially, because of course people are going to be looking at those release notes when an update is brand new. Then once most people have the update and interest has died down, update them so it's on record in case anyone says "there was this exploit and Apple never patched it".

Every time I’ve seen Apple release updates for security patches they never describe the actual security flaw. So I guess Apple always “quietly” updates their security vulnerabilities 😂

Just like Apple. I am sure Snowden didn’t make everything up. I also believe the Bloomberg report about China installing chips on Apple’s servers was probably legitimate; why would Apple admit to it?

You’re absolutely right it would not benefit Apple to admit they had a security breach, but if they know customer data has been breached they have to tell people. This is written into law from my understanding.

Their whole business model is made in China with slave labor. Funny thing is people believe the marketing hype about Apple caring about our privacy - AAPL cares about the illusion of our privacy.

You just described every product you buy in 2025. At least products sold in the USA. Everything you’re wearing was probably made the way you describe. Most of your gadgets in your home were made that way. Likely just about everything you own was made that way. Unfortunately that’s a terrible fact of how things are going now, but it’s not exclusive to Apple. It’s either made in China or a similar country with similar working conditions. In some cases products are made outside of China because China is too strict about working conditions compared to those countries.

 

[con2apple]

Apple confirmed to The Citizen Lab that it fixed the vulnerability back when iOS 18.3.1 was released in February, but it is not clear why Apple did not disclose it before today.

I'm afraid it's because the company still refuses to admit that its products are just as insecure and flawed as those from Microsoft or a Linux distribution.

You all remember: "Malware? Not on a Mac."
Ten years ago, this was still an official promise on Apple's website. A clear lie. Computer worm 2006? Anyone?

The company does not want to admit any mistakes or problems.
Conceptual products are "forgotten", technical errors fault of customers, and AI assistants delayed by a year and a half were definitely already working when they were first presented. Promise.

 

[ThailandToo]

Every time I’ve seen Apple release updates for security patches they never describe the actual security flaw. So I guess Apple always “quietly” updates their security vulnerabilities 😂




You’re absolutely right it would not benefit Apple to admit they had a security breach, but if they know customer data has been breached they have to tell people. This is written into law from my understanding.



You just described every product you buy in 2025. At least products sold in the USA. Everything you’re wearing was probably made the way you describe. Most of your gadgets in your home were made that way. Likely just about everything you own was made that way. Unfortunately that’s a terrible fact of how things are going now, but it’s not exclusive to Apple. It’s either made in China or a similar country with similar working conditions. In some cases products are made outside of China because China is too strict about working conditions compared to those countries.

Don't live in the USA, but I am a US Citizen - really sick of the whole focus on the top 1% and all the people who don't understand how the world works. The point is it's all become about making the top 1% wealthier as jobs shipped overseas. Even if companies had to pay the equivalent of US labor costs, they wouldn't have to pay pensions and other benefits like health insurance. About 30 years ago, I started trying to buy stuff not made in China. It has become increasingly difficult to say the least. I work with clients in Asia who are worth many millions and even a billionaire. The thing I have noticed here in Asia, especially in Japan, the top 1% treat everyone amazingly well. They ensure the janitor is paid well enough to pay their bills, have a family, and so on. That will never happen in America, as it's all greed-focused and the people just can't see why it's become worse and worse and worse for the last 25 years. Sure, there's money to be made in the tech sector, but there's no more middle class. You're either low middle class, lower class, or wealthy. And the only real way to become wealthy is focused on taking advantage of others, or creating a new innovation and selling it to people who will monetize it and take advantage of others with it. Seen it over and over and over again.

 

[Mousse]

Paragon is just making big money by turning a blind eye who it sells its software to, just like it always has.

<snip>

But it should really trigger your ethics, when you see your software used this way. Again and again.

98th Rule of Acquisition: Every man has his price.

In the Twilight Zone episode, Button, Button, a man delivered a box with a button on it to a couple. He told them if they push the button, they will receive $200,000. In exchange, someone they don't know will die.

Morals and ethics means little to most corporate executives. If ethics mattered to them, their employees would be compensated fairly. If they don't care about their employees, do you think some random journalist they might never heard of matters to them?