Apple Issues iOS 14.8 And MacOS 11.6 To Fix Serious ForcedEntry Zero-Click Security Flaw
One of the driving factors behind the release of the software updates is a so-called "zero-click" security exploit developed by NSO Group. Citizen Lab has labeled the exploit FORCEDENTRY, and it uses iMessage as an attack vector. Victims were sent files with a .gif extension through iMessage that were actually "maliciously crafted" PDF files that could result in arbitrary code execution.
FORCEDENTRY is so dangerous because it's considered zero-click, and the target isn't even required to interact with the iMessage. Once the device receives the iMessage, the attacker already has the ability to exploit an iPhone or iPad, for example.
Citizen Lab came to its conclusions by analyzing an iTunes backup of a Saudi activist that claimed to have been hacked by Pegasus spyware. What the reseachers discovered in the code was quite revealing, including the sheer sophistication of the security exploit:
- 27 copies of an identical file with the ".gif" extension. Despite the extension, the file was actually a 748-byte Adobe PSD file. Each copy of this file caused an IMTranscoderAgent crash on the device. These files each had random-looking ten-character filenames.
- Four different files with the ".gif" extension that were actually Adobe PDF files containing a JBIG2-encoded stream. Two of these files had 34-character names, and two had 97-character names.
It was later determined that the NSO Group exploited an integer overflow vulnerability in Apple's CoreGraphics image rendering library, which has now been assigned CVE-2021-30860.
"Our latest discovery of yet another Apple zero day employed as part of NSO Group's arsenal further illustrates that companies like NSO Group are facilitating "despotism-as-a-service" for unaccountable government security agencies," Citizen Lab writes. "Regulation of this growing, highly profitable, and harmful marketplace is desperately needed."
For its part, Apple was notified of Citizen Group's finding on September 7th, and a patch was issued in less than a week. "Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals," said Ivan Krstić, head of Apple Security Engineering and Architecture.
We'd urge iPhone, iPad, and Mac users to update their devices immediately using the on-device Software Update mechanism. Apple Watch users are also affected, and they can update to watchOS 7.6.2 using the Software Update feature on a paired iPhone from within the Apple Watch app.