Updated to include comment from Apple and NSO Group.
Apple on Monday (Sept. 13) released updates for iOS, iPadOS, macOS, watchOS and Safari to fix two zero-day flaws that are actively being exploited by hackers. At least one of the flaws has been used by commercial spyware to break into the phones of political activists in Persian Gulf countries.
You’ll want to update your iDevices to iOS and iPadOS 14.8, macOS Big Sur 11.6, watchOS 7.6.2 and Safari 14.1.2. MacOS 10.15 Catalina gets a security update without a new version number, while the Safari update is for Catalina and its predecessor, macOS 10.14 Mojave.
We know some details about one of the two flaws, catalogued as CVE-2021-30860, which affects the Apple CoreGraphics component on iOS, iPadOS, watchOS, Big Sur and Catalina, but not Safari on its own.
Apple’s security advisories state that because of this vulnerability, “processing a maliciously crafted PDF may lead to arbitrary code execution.” In other words, if you view a booby-trapped PDF, your system can be hacked over the internet.
This flaw was discovered last month by Citizen Lab researchers at the University of Toronto who had examined the iPhones of nine Bahraini dissidents. The researchers called the exploit of the vulnerability “FORCEDENTRY” and said it was used by the Pegasus spyware, commercial spyware developed and distributed by Israel-based NSO Group.
Today, Citizen Lab disclosed that the same exploit was used on an iPhone belonging to a Saudi political activist. The exploit permits takeover of an iPhone if the user receives a message in iMessage. No user action is needed to trigger the exploit, leading information-security experts to call it a “zero-click exploit.”
The other vulnerability, catalogued as CVE-2021-30858, is more mysterious. It is a flaw in WebKit, the Safari rendering engine, and its discovery is credited to “an anonymous researcher.”
Apple states that “processing maliciously crafted web content may lead to arbitrary code execution” — again, nasty web stuff can hack your device.
This flaw affects iOS, iPadOS, Big Sur and Safari, but not watchOS or Catalina. As with the other flaw, Apple says that it is “aware of a report that this issue may have been actively exploited.”
Soon after Apple released the patches, Reuters posted a story about the intelligence services of the United Arab Emirates hacking the iPhones of domestic political activists and foreign diplomats and politicians. It’s not yet clear whether either zero-day flaw patched today is involved.
Apple kicks off its annual fall extravaganza Tuesday (Sept. 14), and it’s likely that the iPhone 13 will be unveiled along with iOS 15.
Apple later on Monday released the following statement to media outlets, attributable to Ivan Krstić, the company’s head of security engineering.
“After identifying the vulnerability used by this exploit for iMessage, Apple rapidly developed and deployed a fix in iOS 14.8 to protect our users. We’d like to commend Citizen Lab for successfully completing the very difficult work of obtaining a sample of this exploit so we could develop this fix quickly.
Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals. While that means they are not a threat to the overwhelming majority of our users, we continue to work tirelessly to defend all our customers, and we are constantly adding new protections for their devices and data.”
In a statement to media, NSO Group had this to say.
“NSO Group will continue to provide intelligence and law-enforcement agencies around the world with life-saving technologies to fight terror and crime.”