Apple Fixes Pegasus-Exploited Zero-Day Through iOS 14.8 and macOS 11.6

Apple addressed the zero-day on iMessage that was being exploited by NSO’s spyware, ‘Pegasus’.
The flaw is click-less and interaction-less, so there can be no protection against it if you don’t update your device.
It took Apple a while to address it as the previous two bug-fixing releases plugged other nasty flaws.

Apple released iOS and iPadOS 14.8, fixing a zero-day iMessage exploit used by NSO Pegasus (named ‘FORCEDENTRY’ by CitizenLab, who discovered and reported on it first). The flaw is tracked as ‘CVE-2021-30860,’ and it is a vulnerability on CoreGraphics. It is triggered by convincing the target to open a malicious PDF document on the device, leading to arbitrary code execution. A second actively exploited bug addressed with this update is CVE-2021-30858, a use after free bug in Safari’s engine, WebKit.

The same two flaws were addressed for macOS Big Sur with version 11.6, while the CoreGraphics flaw was fixed with watchOS 7.6.2 too, so the general advice is to update all your Apple devices now. For those using Safari, Apple’s own and default web browser, make sure that you’re running version 14.1.2.

‘FORCEDENTRY’ is a click-less interaction-less zero-day, so failing to update may keep you open to stealthy attacks. The particular flaw has been confirmed to work against iOS 14.4 and iOS 14.6, but when Apple released iOS 14.7, there was no mention of an iMessage fix. Then came iOS 14.7.1, which fixed ‘CVE-2021-30807’, a critical privilege escalation buffer overflow bug, but still gave nothing on the iMessage zero-day. Finally, we now got to learn that all the speculation wasn’t baseless, as Apple has eventually fixed the dangerous flaw.

Pathlock’s president, Kevin Dunne, has shared the following comment with us:

In the past, users could be trained to avoid spyware infections by looking out for suspicious SMS messages and making sure not to click on links from any numbers they did not recognize. However, spyware attackers have now engineered zero-click attacks which are able to get full access to a phone's data and microphone/camera by using vulnerabilities in third-party apps or even built-in applications. Organizations need to make sure they have control over what applications users download onto their phones, and can ensure they are up to date so any vulnerabilities are patched.

To update your iPhone or iPad, hop to Settings → General, and then tap on Software Update. Do not ignore that “red” tag on the Settings icon, and don’t delay applying the update as you could be under attack already, and you would notice no telltale signs of it. According to Citizen Labs, some side-effects of FORCEDENTRY being deployed on the iPhone include random segfaults and thermal monitor daemon errors.