Apple iOS, macOS and watchOS users should update their devices as soon as possible because the company has issued security patches for two serious vulnerabilities, one of which was discovered by the University of Toronto’s Citizen Lab and allegedly used to compromise the devices of activists and reporters.
In a brief notice Monday, Apple described the two issues:
–CVE-2021-30858, a problem in the WebKit browser engine that affects iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation).
Processing maliciously crafted web content may lead to arbitrary code execution, the company said. Apple is aware of a report that this issue may have been actively exploited.
–CVE-2021-30860, a problem in the CoreGraphics vector drawing framework that could be compromised by a maliciously crafted PDF and lead to arbitrary code execution.
The patch is available for iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation).
Apple credits the discovery of this vulnerability to Citizen Lab, a part of UofT’s Munk School of Global Affairs and Public Policy, which researches the abuse of technology.
In a report Monday, Citizen Lab said its discovery relates to the installation of spyware called Pegasus, created by an Israeli cybersecurity company called NSO Group. The company has been the subject of a number of critical reports from Citizen Lab, all of which allege governments and law enforcement agencies use NSO Group’s technology to target political activists and reporters. NSO Group says its products are used to combat threats. In July, Amnesty International and a number of media outlets alleged Pegasus had been used by some governments to target 80 reporters, as well as politicians.
In its latest report, Citizen Lab said that while analyzing the iPhone of a Saudi activist infected with Pegasus spyware, it discovered a zero-day zero-click exploit against iMessage. The vulnerability, which it dubs ForcedEntry, targets Apple’s image rendering library and can be exploited with a malicious PDF. Citizen Lab thinks ForcedEntry has been in use since at least February. It is effective against Apple iOS, MacOS and WatchOS devices.
Citizen Lab reported the vulnerability to Apple, which released the patch.
Briefly, the exploit works by exploiting an integer overflow vulnerability in Apple’s CoreGraphics image rendering library. Citizen Lab says ForcedEntry is the latest in a string of zero-click exploits it links to NSO Group. In 2019, WhatsApp fixed CVE-2019-3568, a zero-click vulnerability in WhatsApp calling that NSO Group allegedly used against more than 1,400 phones in a two-week period. In 2020, it alleges, NSO Group employed what it calls the Kismet zero-click iMessage exploit.
“Our latest discovery of yet another Apple zero day employed as part of NSO Group’s arsenal further illustrates that companies like NSO Group are facilitating “despotism-as-a-service” for unaccountable government security agencies,” Citizen Lab said. “Regulation of this growing, highly profitable, and harmful marketplace is desperately needed.”
Toby Lewis, global head of threat analysis at Darktrace, noted that Pegasus uses a range of exploits to gain access to a device and can be somewhat tailored to the target or attack campaign. “Fundamentally, they have access to a range of iOS (Apple) and Android vulnerabilities that would allow them to exploit a range of native applications (i.e., applications that came pre-installed on the devices), often by just trying to open a file sent in an email or over text message; or clicking on a link that opens in Safari (for example). The exploits allow them to jailbreak the device, give them elevated privileges to install additional applications, or configure the device however the attacker wants – including installing the spyware component of Pegasus.”
Apple has long operated a so-called “Walled Garden,” he also pointed out, where the underlying operating system on the phone is completely inaccessible to any third-party applications, which can only be installed via the official App Store and are themselves installed and ran from a compartmentalized area of storage and processing. “With the high degree of vetting for applications in the App Store, the only real way for malware to become installed on an Apple device is by exploiting the underlying operating system – the process known as Jailbreaking.”
Android’s architecture is more open, Lewis said, giving users greater freedom to install whatever applications they like, but without the protections afforded by Apple. “Even via the official App Store (Google Play), there is only limited vetting and moderation, increasing the risk of malware being installed without the need for a clever exploit.”
What’s most concerning about this threat is the number of mobile devices that are susceptible, said Richard Melick, director of product strategy for endpoint security at Zimperium. “Threats like these will continue to target mobile devices because of the inherent principles that make them mobile: always connected, and always on … With the amount of data stored on and accessible from a mobile device, there is no reason we should not be securing mobile phones with the same diligence we employ to protect our traditional desktops and laptops.”
(This story has been modified from the original with the addition of comments from Toby Lewis and Richard Melick)