Apple releases patch to block “zero-click” spyware exploits

Apple has issued a security patch in regards to two major vulnerabilities dubbed CVE-2021-30860 and CVE-2021-30858, affecting the cybersecurity of its devices. In a blog post on Monday, Apple announced that it had released the iOS 14.8 and iPadOS 14.8 patches after being made aware of reports that the flaws “may have been actively exploited”. 

The announcement comes just as technology giant is expected to reveal new iPhones and updates for its Apple Watch and AirPods at its annual launch event. 

What are the vulnerabilities? 

The first vulnerability, CVE-2021-30860, is an integer overflow vulnerability in Apple’s CoreGraphics that allowed a “maliciously crafted” PDF file to be used by threat actors to perform malicious, arbitrary code execution. The exploit, dubbed FORCEDENTRY, was discovered by Citizen Lab, at the University of Toronto, who informed Apple on 7th September.  

Bill Marczak, one of the cyber researchers at Citizen Lab, called it “the first one where the exploit has been captured so we can find out how it works”. 

Citizen Lab has attributed, with high confidence, that NSO Group, an Israeli surveillance company, is responsible for the cyber attack. They have also stated that the overflow vulnerability was exploited to install NSO’s Pegasus spyware on a Saudi activist’s iPhone. NSO has been previously linked to a hack regarding the iPhone of Jeff Bezos, the founder of Amazon. 

The second vulnerability, called CVE-2021-30858, was discovered by an anonymous researcher. This exploit was where maliciously crafted web content could similarly be leveraged by a malicious actor to perform arbitrary code executions. There are fewer specific details on this vulnerability at time of release.  

What devices are affected? 

The researchers said the vulnerability requires no user action to be exploited and affects all versions of Apple’s IOS, including Apple devices like iPhones, Macs and Apple Watches. 

The released patch to fix these vulnerabilities is available for: 

• iPhone 6s and later. 
• iPad Pro (all models). 
• iPad Air 2 and later. 
• iPad 5th generation and later,  
• iPad mini 4 and later 
• iPod touch (7th generation) 

It is strongly recommended that iOS users patch their devices as soon as possible. 

Apple’s rough year with spyware 

Apple has often branded itself and its devices as being safe and secure. In fact, Apple's iMessage is considered one of the most secure messaging apps available. This has caused many high-profile individuals, including CEOs, solicitors and journalists to become a part of Apple’s customer base.  

In July, Apple found its much-prided cybersecurity system, which had touted itself as very robust, in tatters because of NSO spyware with Pegasus easily bypassing its security by taking advantage of a zero-click exploit, an exploit the Apple was unaware of at the time, breaching the privacy of its customers, including the confidentiality of many organisations. 

Worse still, customers didn’t even have to open up an attachment or click a link in a phishing scheme. An iPhone would just receive an innocuous message and the threat actor would have full remote access to their device, all of Apple’s robust, in-house security inverted.  

The threat actor could then perform a number of activities while remaining virtually undetectable, including: 

• Accessing every received and sent message. 
• Viewing every photo or email.  
• Turning on microphones and cameras, recording victims remotely.  
• Recording what’s on the screen.  
• Turning on GPS to monitor location. 

At the time, the intrusion was only detected because the DataUsage.sqlite file, which records all the software run on an iPhone, had a duplicate file the spyware developers were unaware of. 

In a statement to the Reuters news agency, NSO stated it was going to “continue to provide intelligence and law enforcement agencies around the world with life-saving technologies to fight terror and crime”, neither confirming or denying that it was the one behind the spyware reported by Citizen Labs. 

Of course, the inevitable news of more vulnerabilities in Apple’s device security is likely embarrassing for the technology giant, although it could be considered good news that NSO spyware and others like it are becoming easier to detect.