Apple has announced a security update for iOS, macOS and watchOS against Israeli company NSO Group’s zero-day in iMessage, allowing access to iPhones, iPads, Macs and Apple Watches without clicking a link.
The vulnerability was actively exploited by the Pegasus spyware from NSO Group, discovered research firm Citizen Lab, which has been investigating the Pegasus spyware for some time. The zero-click exploit against iMessage was found by Citizen Lab on a Saudi activist’s iPhone. The exploit, called ForcedEntry, abuses Apple’s image rendering library and can access an Apple device without the victim having to click a link. , just by sending a gif to the victim’s phone. That gif is in reality a PSD or PDF file. That file crashes the IMTranscoderAgent on the device, allowing Pegasus to run arbitrary code on the device. The vulnerability works on iOS, MacOS and watchOS. According to Citizen Lab, the vulnerability at least since February this year abused.
Apple calls on users to update their operating systems as soon as possible. For iOS and iPadOS, the latest version is 14.8, for macOS version 11.6, and for watchOS version 7.6.2. Apple has also released a security update for macOS Catalina, update 2021-005. The ForcedEntry vulnerability is registered under CVE-2021-30860. The operating system update also fixes a WebKit vulnerability that allows remote code execution. Apple also addresses this vulnerability with version 14.1.2 of Safari.
The ForcedEntry vulnerability is not new, it was already discovered by Citizen Lab in August. Then Citizen Lab discovered that the Pegasus spyware exploited this vulnerability in conjunction with the 2020 Kismet vulnerability against nine activists from Bahrain. Pegasus is a spyware suite from Israeli company NSO Group that uses ever-new vulnerabilities to access the phones of criminals and terrorists, as well as journalists, activists and dissidents. NSO Group is selling the suite to governments and government departments. In December last year, Citizen Lab also discovered a zero day in iMessage that had been abused by the Pegasus spyware.