Today’s iOS 14.8 update addresses a critical vulnerability exploited by Israel’s NSO Group’s Pegasus spyware. Recall that the German authorities have recently admitted to purchasing this product.
Last week, Citizen Lab informed Apple about a new iMessage vulnerability targeting the image rendering library. Called FORCEDENTRY, this exploit allows attackers to hack iPhone, iPad, Apple Watch and Mac by sending a special message to the victim’s device via iMessage. Of particular concern is the fact that no user confirmation action is lso,to exploit the vulnerability.
FORCEDENTRY is actively in use by the Israeli NSO Group’s Pegasus spyware. Citizen Lab researchers discovered the vulnerability after analyzing the jailbroken iPhone of a Saudi Arabian activist. Apple received the details on September 7th; and it took the company a week to close the security hole. According to Citizen Lab, the FORCEDENTRY vulnerability has been in exploitation since at least February 2021.
Apple, while describing the fix, reports on the CVE-2021-30860 vulnerability, which can be exploited by a malicious PDF file to execute arbitrary code on a device.
Apple releases iOS 14.8 to counter Pegasus spyware
In July of this year, there were many reports in the media about the iMessage vulnerability, which allows you to get full access to the device without the user’s knowledge. Later, a database containing data from more than 50 thousand people who became victims of the Pegasus software was available in the network. Also, Pegasus spyware is notable for its ability to bypass BlastDoor, a messaging sandbox designed to prevent such attacks.
Now iPhone users are safe again. In addition, Apple says it will add a number of new spyware barriers to the final version of iOS 15 to keep iPhone users free of privacy concerns.
Also, “Ubiquitous chat apps have become a major target for the most sophisticated threat actors, including nation state espionage operations and the mercenary spyware companies that service them,” Citizen Lab said in a report. “As presently engineered, many chat apps have become an irresistible soft target.”
“Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life; and are in use to target specific individuals,” Ivan Krstić; who runs Apple’s security engineering and architecture operations, said in a statement. “While that means they are not a threat to the overwhelming majority of our users; we continue to work tirelessly to defend all our customers; and we are constantly adding new protections for their devices and data.”