Apple Issues iOS Patches, Fixes Vulnerability Linked to NSO Group
Apple issued patches on Monday for two vulnerabilities that can permit an attacker to run code on iOS devices, with one vulnerability (CVE-2021-30860) said by researchers to originate from the NSO Group, an Israeli spyware maker.
CVE-2021-30860, which "may have been actively exploited," according to Apple, is described as an integer overflow issue caused by "a maliciously crafted PDF" file, affecting iPhone 6 and later devices, as well as iPads. The other vulnerability, CVE-2021-30858, is a "use after free" vulnerability exploited by "maliciously crafted Web content" that "may have been actively exploited."
These vulnerabilities were called out in a Monday alert by the U.S. Cyberstructure and Infrastructure Security Agency. The agency, which issues security advice to U.S. government agencies, broadened the list of affected systems to also include macOS Big Sur 11.6, macOS Catalina and watchOS 7.6.2, plus Apple's Safari 14.1.2 browser.
NSO Group Allegation
Apple credited The Citizen Lab, a University of Toronto research project that investigates human rights, privacy and security issues, with finding the CVE-2021-30860 vulnerability. The Citizen Lab dubbed the vulnerability as "ForcedEntry" and said it was used to install the NSO Group's Pegasus spyware on a Saudi activist's phone, according to its published analysis.
ForcedEntry is a clickless attack. PDF files are installed on a device to abuse Apple's image rendering library (called "CoreGraphics") to execute code. According to the researchers, the vulnerability is present on:
All iPhones with iOS versions prior to 14.8
All Mac computers with operating system versions prior to OSX Big Sur 11.6, Security Update 2021-005 Catalina, and
All Apple Watches prior to watchOS 7.6.2.
The Citizen Lab identified the exploit as coming from the NSO Group based on its past spyware implementations. It's "despotism as a service," according to The Citizen Lab:
Our latest discovery of yet another Apple zero day employed as part of NSO Group's arsenal further illustrates that companies like NSO Group are facilitating "despotism-as-a-service" for unaccountable government security agencies. Regulation of this growing, highly profitable, and harmful marketplace is desperately needed.
The Citizen Lab also claimed that chat apps have become major targets for threat actors, including "nation state espionage operations and the mercenary spyware companies that service them."
Apple confirmed CVE-2021-30860 six days after disclosure by The Citizen Lab on Sept. 7, and then issued a patch on Sept. 13.
Outside security researchers weren't too impressed by Apple's security performance, though. Shane Huntley of Google's Threat Analysis Group stated in a Twitter post that CVE-2021-30860 was a "great find by Citizen Lab and good work by Apple to patch, but it shows how far away we all are from any real security," given that the NSO Group can repeatedly induce zero-click exploits on iPhones.
Security expert Kevin Beaumont, formerly of Microsoft, said that "iOS is always vuln[erable] to something and NSO Group customers always have access to your data, [so] rushing to patch is a security comfort blanket."
Beaumont clarified that statement in his Twitter post, indicating that this vulnerability has been "exploited for 7 months" and that "Apple has much work to do."
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.