Apple Patches NSO Zero-Day Flaw | iOS, macOS Security Update

Critical Security Updates Released by Apple

Apple has issued security patches to address a zero-day vulnerability impacting all iPhone, iPad, Mac, and Apple Watch devices. The vulnerability was initially identified by Citizen Lab, who are urging users to promptly update their systems.

Vulnerability Details and Affected Products

The tech company confirmed that iOS 14.8 for iPhones and iPads, alongside corresponding updates for Apple Watch and macOS, will resolve at least one security flaw believed to be under active exploitation.

Citizen Lab has uncovered further evidence related to the ForcedEntry vulnerability, initially detailed in August during an investigation into a zero-day exploit used to compromise iPhones belonging to a Bahraini activist.

Pegasus Spyware and the iMessage Flaw

Last month, Citizen Lab reported that this zero-day flaw – so named because it provides no time for developers to create a fix – exploited a weakness within Apple’s iMessage application. This allowed the deployment of Pegasus spyware, created by the Israeli firm NSO Group, onto the activist’s phone.

Pegasus grants governmental clients extensive access to a target’s device, encompassing personal data, photos, messages, and location information.

Bypassing BlastDoor Security

The severity of this breach lies in its ability to compromise the most recent iPhone software versions at the time, specifically iOS 14.4 and subsequent iOS 14.6 releases, which Apple launched in May. Furthermore, the exploit circumvented BlastDoor, a new security feature integrated into iOS 14 designed to prevent silent attacks by filtering potentially harmful code.

Citizen Lab has designated this specific exploit as ForcedEntry due to its capacity to bypass Apple’s BlastDoor protections.

Expanding Evidence of ForcedEntry

Recent findings from Citizen Lab reveal evidence of the ForcedEntry exploit on an iPhone belonging to a Saudi activist, even while running the latest version of iOS. The exploit leverages a vulnerability in the way Apple devices process images displayed on the screen.

Citizen Lab asserts that the ForcedEntry exploit is effective across all Apple devices operating on the latest software, up until the present updates.

Reporting and Remediation

Citizen Lab communicated its findings to Apple on September 7th. Apple subsequently released updates addressing the vulnerability, officially identified as CVE-2021-30860. Citizen Lab attributes the ForcedEntry exploit to NSO Group with a high degree of confidence, based on previously unpublished evidence.

The Growing Threat to Messaging Apps

John Scott-Railton, a researcher at Citizen Lab, explained to TechCrunch that messaging applications, such as iMessage, are increasingly becoming targets for nation-state hacking operations, highlighting the ongoing challenges in securing these platforms.

Apple's Response

Ivan Krstić, Apple’s head of security engineering and architecture, confirmed the fix in a statement.

“Following the identification of the vulnerability exploited by this attack on iMessage, Apple swiftly developed and deployed a fix in iOS 14.8 to safeguard our users. We extend our gratitude to Citizen Lab for their successful completion of the complex task of obtaining a sample of this exploit, enabling us to rapidly develop this solution. These types of attacks are highly sophisticated, requiring substantial financial investment and often possessing a limited lifespan, typically targeting specific individuals.

While they do not pose a widespread threat to the majority of our users, we remain dedicated to defending all our customers and continuously enhancing protections for their devices and data,” stated Krstić.