Apple has issued a security update to fix two zero-day vulnerabilities, one of which has been exploited by NSO Group to deliver Pegasus spyware.
CVE-2021-30858 is a WebKit use after free vulnerability that can be exploited via a specially crafted web page to run commands on a vulnerable iPhone or Mac when the webpage is visited. The flaw was reported anonymously to Apple, which warned that the vulnerability may have been exploited in the wild.
The second vulnerability is a CoreGraphics integer overflow flaw that was identified by security researchers at Citizen Lab. The flaw, tracked as CVE-2021-30860, has been exploited using a zero-click zero-day iMessage exploit named FORCEDENTRY. The exploit has been used to bypass the new iOS BlastDoor sandboxing security feature to deliver Pegasus spyware. Several Bahraini activists have had Pegasus installed on their iPhone using the exploit.
Citizen Lab has advised all users of Apple devices, including iPhones, iPads, Macs, and Apple Watches to apply the security updates immediately and said the vulnerability affects “all iPhones with iOS versions prior to 14.8; all Mac computers with operating system versions prior to OSX Big Sur 11.6, Security Update 2021-005 Catalina; and all Apple Watches prior to watchOS 7.6.2.”
Apple said the vulnerabilities can be exploited using specially crafted documents, such as malicious PDF files, which will run commands when opened on vulnerable devices.
Citizen Lab said it observed NSO Group using the ForcedEntry exploit in February 2021 and said the exploit was successfully used to deliver spyware in August on the latest iOS versions – 14.4 & 14.6. The researchers identified a forensic artifact named CascadeFail, which tied the exploit to the Israeli spyware maker. CascadeFail is a flaw where evidence of compromise is incompletely deleted. Citizen Lab said, “an entry from the file’s ZPROCESS table is deleted, but not entries in the ZLIVEUSAGE table that refer to the deleted ZPROCESS entry.” Other evidence was also found that also suggests NSO Group is using the exploit.
Pegasus spyware can turn on the camera to record video footage and the microphone to record audio. Text messages, emails, and calls can also be recorded, even when encrypted messaging apps are used. NSO Group maintains it only sells its spyware to intelligence communities, and only those that have been thoroughly vetted to make sure they are not committing human rights violations. The spyware is usually delivered via a malicious hyperlink that is sent to individual targets, with the messages tailored to those individuals to increase the probability of the link being clicked. However, the use of zero-click exploits makes delivery far easier and allows the malware to be delivered silently without the user being aware that their device has been infected. In one case, a victim was discovered to have had the spyware installed for six months before it was detected.