Tech

Apple Fixes Pegasus-Exploited Zero-Day Through iOS 14.8 and macOS 11.6

By Bill Toulas / September 14, 2021

Apple released iOS and iPadOS 14.8, fixing a zero-day iMessage exploit used by NSO Pegasus (named ‘FORCEDENTRY’ by CitizenLab, who discovered and reported on it first). The flaw is tracked as ‘CVE-2021-30860,’ and it is a vulnerability on CoreGraphics. It is triggered by convincing the target to open a malicious PDF document on the device, leading to arbitrary code execution. A second actively exploited bug addressed with this update is CVE-2021-30858, a use after free bug in Safari’s engine, WebKit.

The same two flaws were addressed for macOS Big Sur with version 11.6, while the CoreGraphics flaw was fixed with watchOS 7.6.2 too, so the general advice is to update all your Apple devices now. For those using Safari, Apple’s own and default web browser, make sure that you’re running version 14.1.2.

‘FORCEDENTRY’ is a click-less interaction-less zero-day, so failing to update may keep you open to stealthy attacks. The particular flaw has been confirmed to work against iOS 14.4 and iOS 14.6, but when Apple released iOS 14.7, there was no mention of an iMessage fix. Then came iOS 14.7.1, which fixed ‘CVE-2021-30807’, a critical privilege escalation buffer overflow bug, but still gave nothing on the iMessage zero-day. Finally, we now got to learn that all the speculation wasn’t baseless, as Apple has eventually fixed the dangerous flaw.

Pathlock’s president, Kevin Dunne, has shared the following comment with us:

In the past, users could be trained to avoid spyware infections by looking out for suspicious SMS messages and making sure not to click on links from any numbers they did not recognize. However, spyware attackers have now engineered zero-click attacks which are able to get full access to a phone's data and microphone/camera by using vulnerabilities in third-party apps or even built-in applications. Organizations need to make sure they have control over what applications users download onto their phones, and can ensure they are up to date so any vulnerabilities are patched.

To update your iPhone or iPad, hop to Settings → General, and then tap on Software Update. Do not ignore that “red” tag on the Settings icon, and don’t delay applying the update as you could be under attack already, and you would notice no telltale signs of it. According to Citizen Labs, some side-effects of FORCEDENTRY being deployed on the iPhone include random segfaults and thermal monitor daemon errors.


Add a Comment
Related Posts

Update to iOS 14.4 Now to Plug Three Actively Exploited “Zero Day” Bugs


January 27, 2021

The Number of iOS Exploits has Spiked, while the Payout for Android Zero-Days Skyrocketed


September 4, 2019

Apple Puts Out Regular iOS Security Update Fixing Three Zero-Days


November 6, 2020

Flash May Be Dead, but ‘Shlayer’ Campaigns Are Still Using It as a Disguise


July 20, 2021

Apple Fixes Three Zero-Day Flaws That Are Under Active Exploitation


May 4, 2021

Apple Publishes List of Fixes for iOS 14.7 Along With macOS and iPadOS Updates


July 22, 2021

© TechNadu 2024. All Rights Reserved.

Close lightbox
Facebook
Twitter
Linkedin
Reddit
Email
Copy Link
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari