Apple released several security updates this week to patch a “FORCEDENTRY” vulnerability on iOS devices. The “zero-click, zero-day” vulnerability has been actively exploited by Pegasus, a spyware app developed by Israeli company NSO Group, known to target activists, journalists and prominent people around the world. .
Tracked as CVE-2021-30860, the vulnerability requires little to no interaction from an iPhone user to be exploited, hence the name ‘FORCEDENTRY’.
Discovered on the iPhone of a Saudi activist
In March, researchers at The Citizen Lab decided to analyze the iPhone of an unnamed Saudi activist who was targeted by NSO Group’s Pegasus spyware. They obtained an iTunes backup of the device, and a review of the dump revealed 27 copies of a mysterious GIF file in various places, except that the files weren’t images.
They were Adobe Photoshop PSD files saved with the “.gif” extension; the observant researchers determined that the files were “sent to the phone immediately before it was hacked” containing Pegasus spyware.
“Despite the extension, the file was actually a 748-byte Adobe PSD file. Any copy of this file caused a IMTranscoderAgent crash on the device,” the researchers explain in their report.
Because these crashes resembled behavior the same researchers previously saw on hacked iPhones belonging to nine Bahraini activists, the researchers suspected the GIFs were part of the same exploit chain. A few other fake GIFs were also present on the device; they were considered malicious Adobe PDFs with longer filenames.
“The Citizen Lab disclosed the vulnerability and code to Apple, which has assigned the FORCEDENTRY vulnerability CVE-2021-30860 and describes the vulnerability as ‘processing a maliciously crafted PDF may lead to arbitrary code execution,'” the statement said. authors of the report.
Researchers say the vulnerability has been exploited remotely by the NSO Group since at least February 2021 to infect the latest Apple devices with Pegasus spyware.
Apple releases several security updates
Yesterday, Apple released several security updates to fix CVE-2021-30860 on macOS, watchOS, and iOS devices. Apple says the vulnerability can be exploited when a vulnerable device is parsing a malicious PDF and granting an attacker code execution capabilities.
“Apple is aware of a report that this issue may have been actively exploited,” Apple wrote in one of the advisory, without disclosing further information about how the flaw could be exploited.
iPhone and iPad users should install the latest OS versions, iOS 14.8 and iPadOS 14.8, to fix the error. Mac users should upgrade to Catalina 2021-005 or macOS Big Sur 11.6. Apple Watch wearers should get watchOS 7.6.2. All versions prior to the fixed releases are at risk.
An anonymous researcher reported another vulnerability for arbitrary code execution in the Safari browser. Tracked as CVE-2021-30858, the use-after-free vulnerability has also been addressed in an update released in Safari 14.1.2.
“We all have highly sophisticated personal devices that have profound implications for personal privacy. There are many examples of these: [these risks]like app data collection — which Apple recently conquered with its App Tracking Transparency framework,” Jesse Rothstein, CTO and co-founder of network security firm ExtraHop, told Ars. “Any sufficiently advanced system has security vulnerabilities that can be exploited, and cell phones are no exception.”
“Pegasus demonstrates how unknown vulnerabilities can be exploited to gain access to highly sensitive personal information,” Rothstein said. “The NSO group is an example of how governments can essentially outsource or buy armed cyber capabilities. In my view, this is no different from arms trading – it’s just not regulated that way. Companies will always have to patch their vulnerabilities, but regulation will help prevent some of these cyberweapons from being misused or falling into the wrong hands.”