Apple has released several security updates this week to patch a “FORCEDENTRY” vulnerability on iOS devices. The “zero-click, zero-day” vulnerability has been actively exploited by Pegasus, a spyware app developed by the Israeli company NSO Group, which has been known to target activists, journalists, and prominent people around the world.
Tracked as CVE-2021-30860, the vulnerability needs little to no interaction by an iPhone user to be exploited—hence the name “FORCEDENTRY.”
Discovered on a Saudi activist’s iPhone
In March, researchers at The Citizen Lab decided to analyze the iPhone of an unnamed Saudi activist who was targeted by NSO Group’s Pegasus spyware. They obtained an iTunes backup of the device, and a review of the dump revealed 27 copies of a mysterious GIF file in various places—except the files were not images.
They were Adobe Photoshop PSD files saved with a “.gif” extension; the sharp-eyed researchers determined that the files were “sent to the phone immediately before it was hacked” with Pegasus spyware.
“Despite the extension, the file was actually a 748-byte Adobe PSD file. Each copy of this file caused an IMTranscoderAgent crash on the device,” explained the researchers in their report.
Because these crashes resembled behavior previously seen by the same researchers on hacked iPhones of nine Bahraini activists, the researchers suspected that the GIFs were part of the same exploit chain. A few other fake GIFs were also present on the device; they were deemed to be malicious Adobe PDFs with longer filenames.
“The Citizen Lab disclosed the vulnerability and code to Apple, which has assigned the FORCEDENTRY vulnerability CVE-2021-30860 and describes the vulnerability as ‘processing a maliciously crafted PDF may lead to arbitrary code execution,'” explained the authors of the report.
Researchers say that the vulnerability has been remotely exploited by the NSO Group since at least February 2021 to infect the latest Apple devices with Pegasus spyware.
Apple releases several security advisories
Yesterday, Apple released several security updates to fix CVE-2021-30860 across macOS, watchOS, and iOS devices. Apple says the vulnerability can be exploited by “processing a maliciously crafted PDF” and grant an attacker code execution capabilities.
“Apple is aware of a report that this issue may have been actively exploited,” Apple wrote in one of the advisories, releasing no further information on how the flaw could be exploited.
iPhone and iPad users should install the latest OS versions, iOS 14.8 and iPadOS 14.8, to patch the flaw. Mac users should upgrade to Catalina 2021-005 or macOS Big Sur 11.6. Apple Watch wearers should get watchOS 7.6.2. All versions prior to the fixed releases are at risk.
Another arbitrary code execution vulnerability in the Safari browser was reported by an anonymous researcher. Tracked as CVE-2021-30858, the use-after-free vulnerability has also been patched by an update released in Safari 14.1.2.
“We all carry highly sophisticated personal devices which have profound implications for personal privacy. There are many examples of [these risks], such as app data collection––which Apple recently moved to curb with its App Tracking Transparency framework,” Jesse Rothstein, CTO and co-founder of network security firm ExtraHop, told Ars. “Any sufficiently sophisticated system has security vulnerabilities that can be exploited, and mobile phones are no exception.”
“Pegasus shows how unknown vulnerabilities can be exploited to access highly sensitive personal information,” said Rothstein. “The NSO group is an example of how governments can essentially outsource or purchase weaponized cyber capabilities. In my view, this is no different than arms dealing––it’s just not regulated that way. Companies are always going to have to patch their vulnerabilities, but regulations will help prevent some of these cyber weapons from being misused or falling into the wrong hands.”