The Pegasus Spyware
Updates for iOS 14.8, iPadOS 14.8, watchOS 7.6.2, macOS Big Sur 11.6, and Safari 14.1.2 have been released by Apple to address two recently discovered vulnerabilities. According to the available information, one of the security flaws has been actively exploited to circumvent additional security protections included into the OS.
Tracked as CVE-2021-30858 (WebKit), this flaw represents a use-after-free vulnerability in WebKit that may allow arbitrary code execution while processing maliciously created web content. A memory management fix has been provided to address the problem.
The second flaw, tracked as CVE-2021-30860 (CoreGraphics) is an integer overflow that may result in arbitrary code execution when processing a maliciously designed PDF document. An improved input validation has been provided as a fix for the issue.
In its advisory, the iPhone maker stated that it is aware of a report that this vulnerability may have been actively exploited.
It is interesting to note that the security updates are released just a few weeks after a zero-day exploit named “FORCEDENTRY” was discovered by researchers from the University of Toronto’s Citizen Lab. According to their findings, the “FORCEDENTRY” exploit, also known as Megalodon, has been used to install Pegasus Spyware on the phones of nine Bahraini activists in February this year.
As per the report, FORCEDENTRY can easily be triggered by sending a maliciously crafted message to the target. Aside from that, the exploit successfully circumvents the BlastDoor security feature of iOS 14, that Apple designed to ward against zero-click invasions by screening untrusted material transmitted via iMessage.
In another revelation, Citizen Lab research group claims to have found previously unseen malware on the phone of an anonymous Saudi activist, whose phone would be vulnerable to attack if the person received a text message containing a malicious image that is, in fact, an Adobe PSD (Photoshop Document) or PDF file that would cause iMessage’s image rendering system to crash, delivering a spyware.
Because of their widespread use, chat applications have become a popular target for sophisticated threat actors, including operators involved in government espionage, as well as spyware vendors that serve them. Unfortunately, many chat applications have been designed in a way that makes them vulnerable to attack, the researchers note.
In relation to the released security fixes, Apple customers using iPhone, iPad, Mac, and Apple Watch devices are urged to quickly install updates to avoid any risks that may arise from these two actively exploited vulnerabilities.