Apple released iOS and iPadOS 14.8, fixing a zero-day iMessage exploit used by NSO Pegasus (named ‘FORCEDENTRY’ by CitizenLab, who discovered and reported on it first). The flaw is tracked as ‘CVE-2021-30860,’ and it is a vulnerability on CoreGraphics. It is triggered by convincing the target to open a malicious PDF document on the device, leading to arbitrary code execution. A second actively exploited bug addressed with this update is CVE-2021-30858, a use after free bug in Safari’s engine, WebKit.
The same two flaws were addressed for macOS Big Sur with version 11.6, while the CoreGraphics flaw was fixed with watchOS 7.6.2 too, so the general advice is to update all your Apple devices now. For those using Safari, Apple’s own and default web browser, make sure that you’re running version 14.1.2.
‘FORCEDENTRY’ is a click-less interaction-less zero-day, so failing to update may keep you open to stealthy attacks. The particular flaw has been confirmed to work against iOS 14.4 and iOS 14.6, but when Apple released iOS 14.7, there was no mention of an iMessage fix. Then came iOS 14.7.1, which fixed ‘CVE-2021-30807’, a critical privilege escalation buffer overflow bug, but still gave nothing on the iMessage zero-day. Finally, we now got to learn that all the speculation wasn’t baseless, as Apple has eventually fixed the dangerous flaw.
Pathlock’s president, Kevin Dunne, has shared the following comment with us:
To update your iPhone or iPad, hop to Settings → General, and then tap on Software Update. Do not ignore that “red” tag on the Settings icon, and don’t delay applying the update as you could be under attack already, and you would notice no telltale signs of it. According to Citizen Labs, some side-effects of FORCEDENTRY being deployed on the iPhone include random segfaults and thermal monitor daemon errors.