The Citizen Lab informed about a new zero-click iMessage exploit, FORCEDENTRY, targeting Apple’s image rendering library. Apple released a security update to address the zero-day vulnerability infecting its products.
See also: Why Zero Trust Model is a Top Priority for Security Leaders Today
Not too long ago, media was rife with news about Pegasus spyware from Israeli company NSO Group being used to snoop on activists, journalists, people in political power, and senior government officials across the globe. A list of more than 50,000 people, which were supposedly targeted, was made public. An important aspect, in addition to the spyware, was the vulnerability discovered in the Apple products. The vulnerability was exploited by Pegasus spyware to infect Apple devices like iPhone, iPad, Apple Watch, or Mac, providing access to the camera and microphone and giving access to the digital life of the device user.
The recently reported vulnerability was assigned CVE-2021-30860 and is described as a maliciously crafted PDF that may lead to arbitrary code execution. Earlier in the year, Apple had added a security feature called ‘BlastDoor’ across its operating systems to add an extra security layer in the iMessage. The spyware bypasses this feature and surreptitiously plants itself on the infected device.
The Vulnerabilities
The vulnerabilities tracked as CVE-2021-30860 and CVE-2021-30858, allow maliciously crafted documents to execute commands when accessed on vulnerable devices.
Vulnerability CVE-2021-30860 CoreGraphics is an integer overflow bug discovered by Citizen Lab that allows maliciously crafted PDF to execute arbitrary code when opened in iOS and macOS.
CVE-2021-30858 is a WebKit used after a free vulnerability that allowed hackers to create maliciously crafted web pages that execute commands when they visit them on iPhones and macOS.
In an urgent update, Apple has urged its customers to run the latest software updates for the fixes to take effect by installing iOS 14.8, MacOS 11.6 and WatchOS 7.6.2.
Apple releases formal statement regarding ForcedEntry exploit: pic.twitter.com/X5zTeAAH3X
— Catalin Cimpanu (@campuscodi) September 13, 2021
With the next iOS 15 on the anvil, the company is expected to add security features to fix the spyware intrusion and tighten its defense.