Apple on Monday released an emergency software update to fix a zero-day zero-click exploit against iMessage that could allow hackers to directly infect various consumer Apple products with invasive spyware without the user having to click on anything.
The critical security vulnerability dubbed as “FORCEDENTRY” was discovered by researchers at Citizen Lab, a cybersecurity watchdog organization at the University of Toronto while analyzing the phone of an anonymous Saudi activist who was infected with an advanced form of NSO Group’s Pegasus spyware.
This is the first time that a “zero-click” exploit has been caught and analyzed.
According to Citizen Lab, the mercenary spyware company NSO Group used the vulnerability to remotely exploit and infect the latest Apple devices with the Pegasus spyware.
The researchers believe that FORCEDENTRY has been in use since at least February 2021.
The exploit worked by exploiting an integer overflow vulnerability in Apple’s image rendering library (CoreGraphics) and was effective against Apple iOS, macOS, and WatchOS devices.
The Citizen Lab found the malicious code on September 7th and immediately notified Apple. On September 13th, Apple designated the FORCEDENTRY exploit CVE-2021-30860, and described it as “processing a maliciously crafted PDF may lead to arbitrary code execution.”
The company rapidly developed the fix and immediately released an update patching CVE-2021-30860.
As per Apple, the devices affected by CVE-2021-30860 are all iPhones with iOS versions prior to 14.8, all Mac computers with operating system versions prior to OSX Big Sur 11.6, Security Update 2021-005 Catalina, and all Apple Watches prior to watchOS 7.6.2.
Talking about the update, Apple said that it “doesn’t disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available.”
Apple urged its users to immediately run the latest software updates for the fixes to take effect by installing iOS 14.8, MacOS 11.6, and WatchOS 7.6.2. on their iPhones, iPads, Macs, and Apple Watches.
To do so, you need to go to Settings, click General > Software Update. Then, click Install Now/Download and Install to update to the latest OS.
“Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals,” said Ivan Krstic, Head of Apple Security Engineering and Architecture.
“While that means they are not a threat to the overwhelming majority of our users, we continue to work tirelessly to defend all our customers, and we are constantly adding new protections for their devices and data.”
Apple is planning to add spyware barriers for iMessage as well as Apple’s texting application, in its next iOS 15 software update, scheduled to release later this year.
