Contents:
Apple released security updates trying to solve two zero-day vulnerabilities that were exploited in the wild to attack iPhones and Macs.
The flaw in the latest Apple software release facilitates Pegasus Spyware to be installed on the above-mentioned devices without so much as a click.
Pegasus spyware is extremely dangerous as once installed on a phone, is able to read a target’s messages, look at their photos, track their movements and even switch on the device. The owner would not be aware of all this activity.
CVE-2021-30860 and CVE-2021-30858 are two vulnerabilities that allow maliciously designed documents to execute commands when opened on affected devices.
The previously-unidentified vulnerability seems to be affecting all of Apple’s devices, including iPhones, iPads, Apple Watches, and Mac computers.
Apple users were prompted to “immediately” update their devices to the latest security patch.
Apple users were urged Tuesday to update their devices after the tech giant announced a fix for a major software flaw that allows the Pegasus spyware to be installed on phones without so much as a click. https://t.co/NJpMaRhkJ4
— ABS-CBN News (@ABSCBNNews) September 14, 2021
The CVE-2021-30860 is a zero-day zero-click iMessage exploit dubbed as “FORCEDENTRY” by the University of Toronto Citizen Lab researchers; the exploit is known to be using the image rendering method specific to iMessage and that way it skirts the built-in Apple security systems.
CVE-2021-30860 CoreGraphics vulnerability, discovered by Citizen Lab, is known to allow threat actors to create PDF documents that can maliciously execute commands when opened under iOS and macOS.
Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals.
According to BleepingComputer, “Apple is aware of a report that this issue may have been actively exploited,” citing what the company said in security advisories treating both vulnerabilities and published at the time we are writing this material.
The FORCEDENTRY vulnerability was revealed to be used to circumvent the iOS BlastDoor security feature in order to install the NSO Pegasus spyware on Bahraini activists’ smartphones.
The researchers at Citizen Lab believe that the flaw had been used to install Pegasus on devices since February 2021 or possibly earlier.
“Popular chat apps are the soft underbelly of device security. They are on every device,” tweeted John Scott-Railton, one of the senior researchers at Citizen Lab who helped uncover the flaw.
? UPDATE YOUR APPLE DEVICES NOW?
We caught a zero-click, zero day iMessage exploit used by NSO Group’s #Pegasus spyware.
Target? Saudi activist.
We reported the #FORCEDENTRY exploit to @Apple, which just pushed an emergency update.
THREAD 1/https://t.co/dVuC1r1yUs pic.twitter.com/KHwtsWRcpA
— John Scott-Railton (@jsrailton) September 13, 2021
This is not the first issue that Apple is facing this year as we’ve witnessed multiple zero-day vulnerabilities used in targeted attacks against iOS and Mac devices.