CYBER SECURITY ENTHUSIAST

Apple released security updates trying to solve two zero-day vulnerabilities that were exploited in the wild to attack iPhones and Macs.

The flaw in the latest Apple software release facilitates Pegasus Spyware to be installed on the above-mentioned devices without so much as a click.

Pegasus spyware is extremely dangerous as once installed on a phone, is able to read a target’s messages, look at their photos, track their movements and even switch on the device. The owner would not be aware of all this activity.

CVE-2021-30860 and CVE-2021-30858 are two vulnerabilities that allow maliciously designed documents to execute commands when opened on affected devices.

The previously-unidentified vulnerability seems to be affecting all of Apple’s devices, including iPhones, iPads, Apple Watches, and Mac computers.

Apple users were prompted to “immediately” update their devices to the latest security patch.

The CVE-2021-30860 is a zero-day zero-click iMessage exploit dubbed as “FORCEDENTRY” by the University of Toronto Citizen Lab researchers; the exploit is known to be using the image rendering method specific to iMessage and that way it skirts the built-in Apple security systems.

CVE-2021-30860 CoreGraphics vulnerability, discovered by Citizen Lab, is known to allow threat actors to create PDF documents that can maliciously execute commands when opened under iOS and macOS.

Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals.

Source

According to BleepingComputer, “Apple is aware of a report that this issue may have been actively exploited,” citing what the company said in security advisories treating both vulnerabilities and published at the time we are writing this material.

The FORCEDENTRY vulnerability was revealed to be used to circumvent the iOS BlastDoor security feature in order to install the NSO Pegasus spyware on Bahraini activists’ smartphones.

The researchers at Citizen Lab believe that the flaw had been used to install Pegasus on devices since February 2021 or possibly earlier.

“Popular chat apps are the soft underbelly of device security. They are on every device,” tweeted John Scott-Railton, one of the senior researchers at Citizen Lab who helped uncover the flaw.

This is not the first issue that Apple is facing this year as we’ve witnessed multiple zero-day vulnerabilities used in targeted attacks against iOS and Mac devices.

Defining Zero Day Attacks, Exploits, Vulnerabilities

Zero-Day Vulnerability Impacting iOS, iPadOS, and macOS Fixed by Apple

New Malware Targets iOS Developers in Supply-Chain Attack

Leave a Reply

Your email address will not be published. Required fields are marked *

GO TO TOP