Apple Issues Urgent Updates to Fix New Zero-Day Linked to Pegasus Spyware

3 years ago 817
BOOK THIS SPACE FOR AD
ARTICLE AD

Pegasus Spyware

Apple has released iOS 14.8, iPadOS 14.8, watchOS 7.6.2, macOS Big Sur 11.6, and Safari 14.1.2 to fix two actively exploited vulnerabilities, one of which defeated extra security protections built into the operating system.

The list of two flaws is as follows -

CVE-2021-30858 (WebKit) - A use after free issue that could result in arbitrary code execution when processing maliciously crafted web content. The flaw has been addressed with improved memory management. CVE-2021-30860 (CoreGraphics) - An integer overflow vulnerability that could lead to arbitrary code execution when processing a maliciously crafted PDF document. The bug has been remediated with improved input validation.

"Apple is aware of a report that this issue may have been actively exploited," the iPhone maker noted in its advisory.

The updates arrive weeks after researchers from the University of Toronto's Citizen Lab revealed details of a zero-day exploit called "FORCEDENTRY" (aka Megalodon) that was weaponized by Israeli surveillance vendor NSO Group and allegedly put to use by the government of Bahrain to install Pegasus spyware on the phones of nine activists in the country since February this year.

Besides being triggered simply by sending a malicious message to the target, FORCEDENTRY is also notable for the fact that it expressly undermines a new software security feature called BlastDoor that Apple baked into iOS 14 to prevent zero-click intrusions by filtering untrusted data sent over iMessage.

"Our latest discovery of yet another Apple zero day employed as part of NSO Group's arsenal further illustrates that companies like NSO Group are facilitating 'despotism-as-a-service' for unaccountable government security agencies," Citizen Lab researchers said.

"Ubiquitous chat apps have become a major target for the most sophisticated threat actors, including nation state espionage operations and the mercenary spyware companies that service them. As presently engineered, many chat apps have become an irresistible soft target," they added.

CVE-2021-30858 is the latest in a number of WebKit zero-day flaws Apple has rectified this year alone. With this set of latest updates, the company has patched a total of 15 zero-day vulnerabilities since the start of 2021.

Apple iPhone, iPad, Mac, and Apple Watch users are advised to immediately update their software to mitigate any potential threats arising out of active exploitation of the flaws.


Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.

Read Entire Article