The patches fix three vulnerabilities, dubbed "Trident" by security firm Lookout, which could be used to access the device's location, read contacts, texts, calls, and emails, as well as turn on the device's microphone.
The company said that spyware that exploited the vulnerabilities were developed by an Israel-based company specializing in zero-day exploits.
Citizen Lab explained in a blog post that it had uncovered an operation by the security services of the United Arab Emirates to try to get into the iPhone of a renowned human rights defender, Ahmed Mansoor.
The Canada-based security lab said that the UAE, which has long been criticized for its poor human rights record, could turn an affected iPhone into "a sophisticated bugging device", adding:
"They would have been able to turn on his iPhone's camera and microphone to record Mansoor and anything nearby, without him being wise about it. They would have been able to log his emails and calls -- even those that are encrypted end-to-end. And, of course, they would have been able to track his precise whereabouts," said the blog post.
Lookout said that the flaws included a memory corruption flaw in WebKit, which would let an attacker exploit a device when a user clicks on an affected link. Two other kernel vulnerabilities would let an attacker jailbreak the device, and then the attacker can silently install malware to carry out surveillance.
Apple fixed the vulnerabilities within 10 days of being informed by Citizen Lab and Lookout.
A spokesperson for Apple said in an email to ZDNet: "We advise all of our customers to always download the latest version of iOS to protect themselves against potential security exploits."
Users can install the update over the air through the phone or tablet's settings.