Apple has released several security updates this week to patch a “FORCEDENTRY” vulnerability on iOS devices. Pegasus, a spyware application developed by the Israeli company NSO Group, which is known to target activists, journalists and prominent individuals around the world, has actively exploited the “zero click, zero day” vulnerability.
Registered as CVE-2021-30860, the vulnerability requires little or no interaction by an iPhone user to be exploited, hence the name “FORCEDENTRY”.
Discovered on the iPhone of a Saudi activist
In March, researchers at The Citizen Lab decided to analyze the iPhone of an anonymous Saudi activist that was attacked by NSO Group’s Pegasus spyware. They got an iTunes backup of the device and a review of the dump revealed 27 copies of a mysterious GIF file in various places, except that the files were not images.
They were Adobe Photoshop PSD files saved with a “.gif” extension; The sharp-eyed investigators determined that the files “were sent to the phone immediately before it was hacked” with Pegasus spyware.
“Despite the extension, the file was actually a 748-byte Adobe PSD file. Each copy of this file caused IMTranscoderAgent device failure, “explained the researchers in their report.
Because these shocks looked alike behaviour Previously seen by the same researchers on hacked iPhones from nine Bahraini activists, the researchers suspected that the GIFs were part of the same exploit chain. Some other fake GIFs were also present on the device; they were considered to be malicious Adobe PDF files with longer file names.
“The Citizen Lab disclosed the vulnerability and the code to Apple, which assigned the FORCEDENTRY vulnerability CVE-2021-30860 and describes the vulnerability as ‘Processing a maliciously crafted PDF may lead to the execution of arbitrary code,'” the authors explained. Of the report.
Researchers say the vulnerability has been remotely exploited by the NSO Group since at least February 2021 to infect the latest Apple devices with Pegasus spyware.
Apple Releases Several Security Advisories
Yesterday, Apple released several security devices. updates to repair CVE-2021-30860 on macOS, watchOS and iOS devices. Apple says the vulnerability can be exploited by “processing a maliciously crafted PDF” and giving the attacker code execution capabilities.
“Apple is aware of a report that this problem may have been actively exploited,” Apple wrote in one of the notices, without disclosing more information on how the flaw could be exploited.
IPhone and iPad users must install the latest versions of the operating system, iOS 14.8 and iPadOS 14.8, to fix the flaw. Mac users must update to Catalina 2021-005 or macOS Big Sur 11.6. Apple Watch users should get watchOS 7.6.2. All versions prior to fixed versions are at risk.
An anonymous researcher reported another arbitrary code execution vulnerability in the Safari browser. Registered as CVE-2021-30858, the use-after-free vulnerability has also been patched by a upgrade released in Safari 14.1.2.
“We all carry highly sophisticated personal devices that have profound implications for personal privacy. There are many examples of [these risks]such as app data collection, which Apple recently moved to curb with its App tracking transparency “Jesse Rothstein, chief technology officer and co-founder of network security company ExtraHop, told Ars.” Any sufficiently sophisticated system has security vulnerabilities that can be exploited, and mobile phones are no exception. “
“Pegasus shows how unknown vulnerabilities can be exploited to access highly sensitive personal information,” Rothstein said. “The NSO group is an example of how governments can essentially outsource or buy armed cyber capabilities. In my opinion, this is no different than arms trafficking, it is just not regulated that way. Companies will always have to correct their vulnerabilities, but the regulations will help prevent some of these cyber weapons from being misused or falling into the wrong hands. “