Apple Fixes Pegasus-Exploited Zero-Day Through iOS 14.8 and macOS 11.6

  • Apple addressed the zero-day on iMessage that was being exploited by NSO’s spyware, ‘Pegasus’.
  • The flaw is click-less and interaction-less, so there can be no protection against it if you don’t update your device.
  • It took Apple a while to address it as the previous two bug-fixing releases plugged other nasty flaws.

Apple released iOS and iPadOS 14.8, fixing a zero-day iMessage exploit used by NSO Pegasus (named ‘FORCEDENTRY’ by CitizenLab, who discovered and reported on it first). The flaw is tracked as ‘CVE-2021-30860,’ and it is a vulnerability on CoreGraphics. It is triggered by convincing the target to open a malicious PDF document on the device, leading to arbitrary code execution. A second actively exploited bug addressed with this update is CVE-2021-30858, a use after free bug in Safari’s engine, WebKit.

The same two flaws were addressed for macOS Big Sur with version 11.6, while the CoreGraphics flaw was fixed with watchOS 7.6.2 too, so the general advice is to update all your Apple devices now. For those using Safari, Apple’s own and default web browser, make sure that you’re running version 14.1.2.

‘FORCEDENTRY’ is a click-less interaction-less zero-day, so failing to update may keep you open to stealthy attacks. The particular flaw has been confirmed to work against iOS 14.4 and iOS 14.6, but when Apple released iOS 14.7, there was no mention of an iMessage fix. Then came iOS 14.7.1, which fixed ‘CVE-2021-30807’, a critical privilege escalation buffer overflow bug, but still gave nothing on the iMessage zero-day. Finally, we now got to learn that all the speculation wasn’t baseless, as Apple has eventually fixed the dangerous flaw.

Pathlock’s president, Kevin Dunne, has shared the following comment with us:

In the past, users could be trained to avoid spyware infections by looking out for suspicious SMS messages and making sure not to click on links from any numbers they did not recognize. However, spyware attackers have now engineered zero-click attacks which are able to get full access to a phone’s data and microphone/camera by using vulnerabilities in third-party apps or even built-in applications. Organizations need to make sure they have control over what applications users download onto their phones, and can ensure they are up to date so any vulnerabilities are patched.

To update your iPhone or iPad, hop to Settings → General, and then tap on Software Update. Do not ignore that “red” tag on the Settings icon, and don’t delay applying the update as you could be under attack already, and you would notice no telltale signs of it. According to Citizen Labs, some side-effects of FORCEDENTRY being deployed on the iPhone include random segfaults and thermal monitor daemon errors.

REVIEW OVERVIEW

Latest

Is It Okay to Charge iPhone 13, Mini, Pro, or Pro Max Overnight?

Without any doubt, there are plenty of misconceptions about charging iOS devices. That’s even more true now since this year’s iPhones have the...

Is It Okay to Play Games While Charging iPhone 13? 

The iOS App Store offers more than one million games. Your options are practically limitless, with console-like games taking full advantage of iPhone 13’s...

Is It Bad to Use iPhone 13 While Charging? 

The latest iPhone generation comes with the longest battery life yet, managing to provide up to 2.5 extra hours of use. With that said,...
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari