Thursday Apple issued three emergency patches for a vulnerability that could be exploited to install spyware. The patches affect macOS Ventura 13.5.2, iOS 16.6.1 and iPadOS 16.6.1, and watchOS 9.6.2. “A maliciously crafted attachment may result in arbitrary code execution,” the company said in its advisories. “Apple is aware of a report that this issue may have been actively exploited.” The report of active exploitation came from the University of Toronto’s Citizen Lab, which found evidence that NSO Group’s Pegasus spyware was being installed in vulnerable devices through a zero-click exploit the Lab calls “BLASTPASS.” The attacks used PassKit attachments sent as iMessage images. These carried the malicious payload. The patches will protect users against BLASTPASS; so will enabling Apple’s Lockdown Mode on the device.