Apple has released a security only update for iOS and macOS that fixes two vulnerabilities, both of which have been exploited by attackers.
One of the flaws was discovered by researchers at Citizen Lab recently while they were examining the iPhone of a Saudi Arabian activist. The researchers found that the phone had been compromised using an exploit for a previously unknown bug in the CoreGraphics component of iOS, and further found that the exploit did not require any user interaction. That vulnerability (CVE-2021-30860) is an integer overflow, and Citizen Lab’s researchers identified some overlap between artifacts of the exploit used for that bug and previous operations associated with the installation of NSO Group’s Pegasus spyware tool.
The exploit has been in use since at least February, and Citizen Lab has termed it FORCEDENTRY. As part of the forensic examination of the compromised phone, the researchers found 27 identical files, all with the .gif extension.
“Because the format of the files matched two types of crashes we had observed on another phone when it was hacked with Pegasus, we suspected that the “.gif” files might contain parts of what we are calling the FORCEDENTRY exploit chain,” the Citizen Lab report on the bug says.
“The spyware installed by the FORCEDENTRY exploit exhibited a forensic artifact that we call CASCADEFAIL, which is a bug whereby evidence is incompletely deleted from the phone’s DataUsage.sqlite file. In CASCADEFAIL, an entry from the file’s ZPROCESS table is deleted, but not entries in the ZLIVEUSAGE table that refer to the deleted ZPROCESS entry. We have only ever seen this type of incomplete deletion associated with NSO Group’s Pegasus spyware, and we believe that the bug is distinctive enough to point back to NSO.”
Pegasus is a tool sold to government and law enforcement agencies to enable remote surveillance of electronic devices, specifically mobile devices. Researchers have identified several zero day exploits, including other zero-click exploits, that customers of NSO Group have used to install Pegasus, and the tool has been found on the phones of activists and dissidents in many countries.
Along with the vulnerability identified by Citizen Lab, Apple also patched a separate use-after-free bug in WebKit that also has been exploited in the wild.
“Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited,” the Apple advisory says.
Both vulnerabilities are fixed in iOS 14.8 and macOS Big Sur 11.6.