OUR SERVICESSERVICESFollow usPREMIUM AREAWhitepaperEventsWebinarCHANNELSNational cybersecurityMalware and attacksRegulations and adjustmentsCorporate solutionsCyber cultureThe expert answersNews analysisAbout usTECHNICAL ANALYSISHomeMalware and hacker attacksShare this article
Apple has released two security updates to fix as many zero-day vulnerabilities: one of these, renamed ForcedEntry, affects all iPhone, iPad, Mac and Watch devices and was used by Pegasus spyware to spy on iPhone users. It is therefore important to install patches now
14 Sep 2021Paolo TarsitanoEditor Cybersecurity360.itApple has released updated versions of its operating systems iOS 14.8, iPadOS 14.8, watchOS 7.6.2 and macOS Big Sur 11.6, in addition to Safari 14.1.2, to fix two important zero- vulnerabilities day already actively exploited: one of these, in particular, renamed ForcedEntry, is also zero-click and, according to Citizen Lab researchers who have disclosed the details of the exploit, has been exploited to spy on some iPhone users using the infamous Pegasus product by NSO Group.
Pegasus, remember, is a powerful spyware that can activate the camera and microphone on a target's phone to record messages, texts, emails and calls, even if they are sent via encrypted messaging apps like Signal .
The exploit of the ForcedEntry vulnerability, also known by the name of Megalodon, was armed by the NSO and given to the Bahrain government for use, which allegedly exploited it last February to spy on the mobile phones of nine political activists.
The two vulnerabilities corrected by Apple with the security updates of its operating systems and the Safari browser are the following:
Topics indexThe details of the ForcedEntry vulnerability
According to what reported by Citizen lab researchers, who analyzed the phone of a Saudi activist whose identity they did not reveal, the ForcedEntry vulnerability represents a serious security problem as it works on all Apple devices and, in this specific case, allows an attacker to execute malicious code simply by sending a message on the iMessage app.
WHITEPAPERStrategies and techniques to defend against attacks: how Network Security is changingSecurityCybersecurityDownload the WhitepaperIn particular, the exploit manages to bypass the new sandbox function called BlastDoor that Apple had included in iOS 14 (and in subsequent versions 14.4 and 14.6) precisely to prevent zero-click intrusions by filtering untrusted data sent on the messaging app installed on your devices.
Furthermore, the exploit chain exploited by Pegasus is activated, without requiring any interaction from the intended victim, when the latter receives a text message containing a malicious GIF image which, in fact, hides an Adobe PSD file (Photoshop Document Files) or PDFs designed to block the iMessage component responsible for automatic image rendering.
At this point, having overcome any protection barrier, the distribution of the Pegasus surveillance tool begins, which offers almost complete access to the contents of the memory on the victim's device including personal information and data, photos, messages and geographical location.
It is important to underline, however, that in the case of espionage documented by Citizen Lab researchers, the Pegasus spyware was conveyed via iMessage, but in reality the exploit could theoretically work with all apps that use the image rendering engine of Apple.
“Our latest discovery of another zero day of Apple employed as part of the NSO Group arsenal proves once again that companies similar to the Israeli vendor are facilitating the development of the so-called despotism-as-a-service for government security agencies,” Citizen Lab researchers said in their report.
“Ubiquitous chat apps have become a major target for sophisticated threat actors, including nation-state espionage operations, or for companies that develop their own spyware and then lend it to anyone request it. As currently designed, many chat apps have become an irresistible soft target,” the researchers added.
In fact, then, zero-day, zero-click exploits, such as the new method used by Pegasus spyware to invisibly infect an Apple device without the victim's knowledge and without requiring interaction, are pure gold for governments, mercenaries and criminals who want to secretly guard the devices of their designated targets without being detected.
Update Apple devices immediately
As we said, in its latest security bulletin, Apple also published the details of another zero-day vulnerability, tracked as CVE-2021-30858. It is the latest in a series of identified flaws in WebKit fixed just this year.
With these last two updates, the Cupertino company has corrected a total of 15 zero-day vulnerabilities since the beginning of the year.
In particular, given the severity of the ForcedEntry vulnerability and the little information available so far on how to recognize any malicious PDF/PSD files or web pages, it is important to proceed as soon as possible with the operating system update on exposed Apple devices (practically all, as we said at the beginning) to mitigate any potential threat deriving from the active exploitation of the leaks.
This is the list of available updates:
To check for updates (and get them automatically if they haven't been automatically downloaded yet), simply follow these steps:
For users of Apple devices with operating system versions older than those affected by these updates, the advice that can be given to defend against possible attacks (at the moment not confirmed, but not excluded either) is to pay the maximum Be careful when opening a suspicious PDF or PSD document or downloading it from untrusted websites.
It must be said that attacks such as the one conducted through the exploitation of the ForcedEntry vulnerability are highly sophisticated and the development of the exploits used in the infectious chain can cost even millions of dollars. Furthermore, they often have a short duration and aim to hit specific targets.
This means that they shouldn't pose a serious threat to most users, but we know that you should never let your guard down because cybercrime is always ready to strike in any way and when it is least expected.
WHITEPAPERTips and practical tools to defend against cyber attacksSecurityCybersecurityDownload the Whitepaper@RESTRICTED REPRODUCTIONCharactersPPaolo TarsitanoTopicsAApplicationsDPersonal dataMmalwareNNSO GroupPPegasusSspywareVvulnerabilityZZero dayZzero-clickChannelsMalware and hacker attacksNews analysisMalware and hacker attacksUPDATE