There’s a new zero-day, zero-click vulnerability in all types of Apple devices, including Macs, iPhones, iPads, and WatchOS. The flaw has been called FORCEDENTRY.
How was the Apple FORCEDENTRY (CVE-2021-30860) zero-day disclosed, and who discovered it?
The zero-day was discovered by Citizen Lab researchers during an analysis of the phone of a Saudi activist infected with the Pegasus spyware. The flaw is a zero-click exploit against iMessage, targeting Apple’s image-rendering library.
The researchers were able to determine “that the mercenary spyware company NSO Group used the vulnerability to remotely exploit and infect the latest Apple devices with the Pegasus spyware.” It is believed that FORCEDENTRY has been in use since at least February 2021.
The NSO Group is the maker of Pegasus, an advanced spyware application that jailbreaks or roots infected devices enabling the spyware to go through private messages, activate the microphone and camera, and collect sensitive information.
Citizen Lab disclosed their findings, including the code, to Apple. Following the official disclosure, the vulnerability was assigned the CVE-2021-30860 identifier. According to its official description, it’s an issue that could lead to processing a maliciously crafted PDF and arbitrary code execution.
So far, only limited technical details are made available. What is known so far is that the FORCEDENTRY exploit works by leveraging an integer overflow vulnerability in Apple’s image rendering library (CoreGraphics).
Fortunately, an update is now available for CVE-2021-30860. Apple users are urged to update their devices immediately. To fix the issue, an integer overflow was addressed with improved input validation, the advisory revealed.
Not the first NSO Group zero-day zero-click flaw
It is noteworthy that another zero-click vulnerability was attributed to the NSO Group in 2019.
The flaw allowed hackers to compromise devices using the Pegasus spyware. The CVE-2019-3568 vulnerability was a buffer overflow in WhatsApp VOIP stack. It allowed remote code execution via specially crafted series of SRTCP packets sent to a target phone number.
It is worth mentioning that exploits based on the flaw happened by calling either a vulnerable iPhone or an Android device via the WhatsApp calling function. Furthermore, the calls didn’t need to be answered, and often disappeared from logs. Fortunately, the flaw was supposedly fixed.