Apple fixes “zero-click” iMessage zero-day exploited to deliver spyware (CVE-2021-30860)

Apple has released security updates for macOS, iOS, iPadOS, watchOS and Safari that patch two vulnerabilities (CVE-2021-30860, CVE-2021-30858) that are being exploited in attacks in the wild.

About the vulnerabilities (CVE-2021-30860, CVE-2021-30858)

Active exploitation of CVE-2021-30860, a integer overflow bug that could be exploited via a maliciously crafted PDF to achieve execution of malicious code on vulnerable devices, was flagged by researchers with The Citizen Lab, an interdisciplinary laboratory based at the Munk School of Global Affairs at the University of Toronto, Canada.

Dubbed FORCEDENTRY, because it allows circumvention of iOS’s BlastDoor security system, the zero-day, zero-click exploit targeting CVE-2021-30860 has been recovered from the phone of a Saudi activist infected with NSO Group’s Pegasus spyware.

Bill Marczak, research fellow at The Citizen Lab, says that the exploit is invisible to the target, and that they believe that it has been in use by NSO Group since at least February 2021.

More details about their findings have been shared in this post, though the researchers refrained from publishing much technical information about CVE-2021-30860 until most users have had the opportunity to implement the provided updates. We know that the flaw affects iOS, macOS (both Big Sur and Catalina) and watchOS.

Not many details are available about CVE-2021-30858, the second actively exploited bug fixed in these batch of updates.

Apple says it’s an use after free issue in WebKit, that it affects macOS Big Sur, iOS, iPadOS and Safari, that it can be exploited to achieve RCE if the vulnerable component processes maliciously crafted web content, and that it has been reported by an anonymous researcher.

While the attacks exploiting CVE-2021-30860 are likely to be very targeted and not an immediate danger to the overwhelming majority of users, we don’t know much about those exploiting CVE-2021-30858, so it’s generally a good idea for all users to implement the provided security updates as soon as possible.

Zero-days fixed in Chrome

While we’re on the subject of actively exploited vulnerabilities, Google Project Zero security researcher Maddie Stone took to Twitter yesterday to point out that the latest Chrome release fixes two zero-days (CVE-2021-30632, CVE-2021-30633) with exploits in the wild.

…and Chrome just patched 2 in-the-wild 0-days CVE-2021-30632 (out of bounds write in v8) and CVE-2021-30633 (use-after-free in Indexed DB)

What a Monday https://t.co/19tqlf4Fss

— Maddie Stone (@maddiestone) September 13, 2021