A zero-click exploit in iOS.
During its investigation of a Pegasus spyware infection of a Saudi activist’s iPhone, the University of Toronto’s Citizen Lab has found a “zero-day zero-click exploit against iMessage.” They call the exploit “FORCEDENTRY,” say it targets Apple’s image rendering library, and claim that it’s effective against Apple iOS, MacOS and WatchOS devices.
FORCEDENTRY is a zero-click attack requiring no obvious user interaction; victims may be unaware that their devices have been affected. Malicious files masquerading as GIFs were the infection mechanism, and they arrived courtesy of an unremarked bug in Apple’s image rendering. As Apple put in their description of the vulnerability, “processing a maliciously crafted PDF may lead to arbitrary code execution.” In this case the arbitrary code would be the Pegasus intercept product.
The Wall Street Journal reports that NSO Group, maker of Pegasus, has apparently been exploiting the vulnerability since February. The company, asked for comment, simply told the Journal, “NSO Group will continue to provide intelligence and law enforcement agencies around the world with lifesaving technologies to fight terror and crime,” which is one way of looking at it.
Citizen Lab and Apple made fairly short work of patching. Citizen Lab forwarded Apple suspicious artifacts on September 7th, Apple confirmed that they included a zero-day exploit on the 13th, and late yesterday also addressed the vulnerability with an update to iOS 14.8. Users are advised to upgrade their devices as soon as practicable. Subsequent releases of iOS will also be designed, Cupertino says, to keep this particular backdoor firmly shut.