Apple’s updates to its operating systems this week contain a patch for a serious vulnerability that allowed a zero-click exploit dubbed “FORCEDENTRY” to infect devices with spyware. Owners of Apple devices should update to latest versions ASAP.
Vulnerability details
While analyzing the phone of a Saudi activist infected with NSO Group’s Pegasus spyware, researchers at Citizen Lab captured evidence of an exploit they’ve dubbed FORCEDENTRY. It targets Apple’s image rendering library, and is effective against Apple iOS, MacOS and WatchOS devices.
Citizen Lab believes the vulnerability, tracked by Apple as CVE-2021-30860, was used to remotely exploit the latest versions of Apple OSes and infect them with spyware, as early as February 2021.
The exploit is significant because it’s been designed to break Apple’s “BlastDoor” defenses against malicious content, and it’s a zero-click exploit, meaning no amount of vigilance or discretion is possible if targeted, because user action is not required for execution.
FORCEDENTRY uses a maliciously encoded PDF file, renamed with the .gif file extension targeted at iMessage to deliver a payload that executes its code. It works by exploiting an integer overflow vulnerability in Apple’s image rendering library (CoreGraphics.)
Versions/devices affected
- iPhones with iOS versions prior to 14.8
- macOS prior to Big Sur 11.6
- macOS 10.15 Catalina prior to Security Update 2021-005
- Apple Watches prior to watchOS 7.6.2
Mitigation
Update to the latest versions of Apple operating systems.
- iOS 14.8
- macOS Big Sur 11.6
Resources
Citizen Lab report
https://citizenlab.ca/2021/09/forcedentry-nso-group-imessage-zero-click-exploit-captured-in-the-wild/
Apple securitiy updates
https://support.apple.com/en-us/HT201222