Apple has released several security updates this week to eliminate the “FORCEDENTRY” vulnerability on iOS devices. The “zero-click, zero-day” vulnerability is powered by Pegasus, a spyware program developed by Israel’s NSO Group, which has been known to target activists, journalists, and celebrities around the world. .
Tracked as CVE-2021-30860, the vulnerability requires little to no interaction by an iPhone user to be exploited—hence the name “FIRE.”
Discovery on a Saudi activist’s iPhone
In March, researchers at Citizen Lab decided to analyze the iPhone of an unnamed Saudi activist that was targeted by NSO Group’s Pegasus spyware. They obtained an iTunes backup of the device, and a review of the dump revealed 27 copies of the mysterious GIF file in various places—except the files weren’t images.
They are Adobe Photoshop PSD files saved with the extension “.gif”; sharp-eyed researchers determined that the files were “sent to the phone immediately before it was hacked” with the Pegasus spyware.
Despite the extension, the file is actually a 748-byte Adobe PSD. Copy each file IMTranscoderAgent crash on the machine,” explained the researchers in them report.
Because these losses are similar behavior previously found by the same investigators on the hacked iPhones of nine Bahraini activists, investigators suspect that the GIFs are part of the same abuse chain. There are also some other fake GIFs on the device; they think it’s malicious Adobe PDFs with long file names.
Citizen Lab disclosed the vulnerability and code to Apple, which assigned the FORCEDENTRY vulnerability CVE-2021-30860 and described the vulnerability as ‘maliciously executed PDF processing could lead to arbitrary code execution,'” explained the authors of the report.
Researchers say the vulnerability has been exploited remotely by the NSO Group since at least February 2021 to infect new Apple devices with the Pegasus spyware.
Apple releases several security updates
Yesterday, Apple released a lot of security updates to fix CVE-2021-30860 across macOS, watchOS, and iOS devices. Apple says the vulnerability can be exploited when a vulnerable application is analyzing a malicious PDF and giving it the capabilities to execute an attack code.
“Apple is aware of a report that this issue may have been actively abused,” Apple wrote in one of the suggestionsThe release did not provide further information on how to use the flaw.
iPhone and iPad users should install the latest OS versions, iOS 14.8 and iPadOS 14.8, to close the flaw. Mac users should upgrade to Catalina 2021-005 or macOS Big Sur 11.6. Apple Watch owners should get watchOS 7.6.2. All versions before fixed releases are at risk.
Another arbitrary code execution vulnerability in the Safari browser was reported by an anonymous researcher. Tracked as CVE-2021-30858, the use-after-free vulnerability is also hidden by the updated released in Safari 14.1.2.
“We all have highly personal devices that have profound implications for personal privacy. There are many examples of (these risks), such as app data collection—which Apple recently moved to curb with . App Tracking transparency strategy,” Jesse Rothstein, CTO and co-founder of security network firm ExtraHop, told Ars. “Any sophisticated system has security vulnerabilities that can be exploited, and our cell phones are no exception.”
“Pegasus shows how unknown vulnerabilities can be exploited to access highly sensitive personal information,” Rothstein said. “The NSO group is an example of how governments can specifically outsource or buy armed cyber capabilities. In my view, this is no different from arms deals – it’s not a strategy in that way. Companies often will have to cover their vulnerabilities, but the regulations will help prevent some cyber weapons from being misused or falling into the wrong hands.”