Prior to this publishing, you may already be aware of the recent Apple security updates released to patch against exploits being attributed to the NSO Group’s Pegasus spyware. According to CitizenLab, the exploit, dubbed FORCEDENTRY has been leveraged since at least February 2021 and is tracked as CVE-2021-30860. CitizenLab describes FORCEDENTRY as a zero-day, zero-click exploit against iMessage that could lead to arbitrary code execution by processing a maliciously crafted PDF. Reuters states it more plainly as, the vulnerability lies in how iMessage automatically renders images.
Members are encouraged to address on corporate owned devices as necessary and to advise staff with impacted personal devices to update as soon as possible. According to Apple, impacted devices include all iPhones with iOS versions prior to 14.8, All Mac computers with operating system versions prior to OSX Big Sur 11.6, Security Update 2021-005 Catalina, and all Apple Watches prior to watchOS 7.6.2. CISA has also posted a notification regarding iMessage (CVE-2021-30860) and a Safari (CVE02021-30858) zero-day vulnerability, Apple Releases Security Updates to Address CVE-2021-30858 and CVE-2021-30860. It is important to apply this update as soon as possible on all impacted devices, but be prudent in spreading the word to avoid the proliferation of any overhyped messaging.
Patching is Important, Overhyping is Not Helpful.
There is no argument that these vulnerabilities are very serious and patching is important. However, these are not random acts of exploitation and are not likely to become widespread, despite the propensity for some outlets to overhype this. From what we know, leveraging of these vulnerabilities is highly targeted, as Pegasus spyware has been observed on phones of activists, journalists, and opposition politicians in countries with poor human rights records. These criteria are not something many of us fall under. The following formal statement from Apple (excerpted from The Record) states, “After identifying the vulnerability used by this exploit for iMessage, Apple rapidly developed and deployed a fix in iOS 14.8 to protect our users. We’d like to commend Citizen Lab for successfully completing the very difficult work of obtaining a sample of this exploit so we could develop this fix quickly. Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals. While that means they are not a threat to the overwhelming majority of our users, we continue to work tirelessly to defend all our customers, and we are constantly adding new protections for their devices and data.”