CATEGORIES
home News

Apple Issues iOS 14.8 And MacOS 11.6 To Fix Serious ForcedEntry Zero-Click Security Flaw

by Brandon HillTuesday, September 14, 2021, 09:18 AM EDT
iphone apple watch
On the eve of its big iPhone 13 unveil, Apple was forced to issue a new software update for its iPhone, iPad, and Mac product lines. As a result, iOS 14.8 and iPadOS 14.8 are now available for the iPhone and iPad, respectively, while Apple issued macOS 11.6 for Macs.

One of the driving factors behind the release of the software updates is a so-called "zero-click" security exploit developed by NSO Group. Citizen Lab has labeled the exploit FORCEDENTRY, and it uses iMessage as an attack vector. Victims were sent files with a .gif extension through iMessage that were actually "maliciously crafted" PDF files that could result in arbitrary code execution.

FORCEDENTRY is so dangerous because it's considered zero-click, and the target isn't even required to interact with the iMessage. Once the device receives the iMessage, the attacker already has the ability to exploit an iPhone or iPad, for example.

apple security nso group

Citizen Lab came to its conclusions by analyzing an iTunes backup of a Saudi activist that claimed to have been hacked by Pegasus spyware. What the reseachers discovered in the code was quite revealing, including the sheer sophistication of the security exploit:

  • 27 copies of an identical file with the ".gif" extension. Despite the extension, the file was actually a 748-byte Adobe PSD file. Each copy of this file caused an IMTranscoderAgent crash on the device. These files each had random-looking ten-character filenames.
  • Four different files with the ".gif" extension that were actually Adobe PDF files containing a JBIG2-encoded stream. Two of these files had 34-character names, and two had 97-character names.

It was later determined that the NSO Group exploited an integer overflow vulnerability in Apple's CoreGraphics image rendering library, which has now been assigned CVE-2021-30860.

"Our latest discovery of yet another Apple zero day employed as part of NSO Group's arsenal further illustrates that companies like NSO Group are facilitating "despotism-as-a-service" for unaccountable government security agencies," Citizen Lab writes. "Regulation of this growing, highly profitable, and harmful marketplace is desperately needed."

For its part, Apple was notified of Citizen Group's finding on September 7th, and a patch was issued in less than a week. "Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals," said Ivan Krstić, head of Apple Security Engineering and Architecture.

We'd urge iPhone, iPad, and Mac users to update their devices immediately using the on-device Software Update mechanism. Apple Watch users are also affected, and they can update to watchOS 7.6.2 using the Software Update feature on a paired iPhone from within the Apple Watch app.

Tags:  Apple, security, exploit, (NASDAQ:AAPL), forcedentry, ios 14.8, macos 11.6
TOP CONVERSATIONS
Your Next PC Platform?
More Results
KEEP INFORMED
SITE

Home

Reviews

News

Blogs

Full Site

Sitemap

CATEGORIES

PC Components

Systems

Mobile

IT Infrastructure

Leisure

Videos

COMPANY

About

Advertise

News Tips

Contact

Privacy And Terms

HotTech

MORE

Accessibility

Shop

STAY CONNECTED

Twitter

Facebook

YouTube

RSS

As an Amazon and Howl Technologies Associate, HotHardware earns a commission from qualifying purchases made on this site. This site is intended for informational and entertainment purposes only. The contents are the views and opinion of the author and/or his associates. All products and trademarks are the property of their respective owners. Reproduction in whole or in part, in any form or medium, without express written permission of Hot Hardware, Inc. is prohibited. All content and graphical elements are Copyright © 1999 - 2024 David Altavilla and Hot Hardware, Inc.
All rights reserved. Privacy and Terms - Accessibility Commitment