On September 13, 2021 Apple released security updates for supported versions of macOS Big Sur, macOS Catalina, macOS Mojave, iOS, iPadOS, watchOS, and Safari. The updates include a fix for an actively exploited no-click vulnerability. Exploitation of this vulnerability allows a remote attacker to take full control of the Apple device. Users of Apple devices should update their devices immediately.
Security researchers at The Citizen Lab disclosed the vulnerability (dubbed FORCEDENTRY) and the exploit code to Apple on Tuesday, September 7, 2021. The Citizen Lab determined a software developer supplying national governments used the vulnerability to remotely exploit and infect the latest Apple devices with the Pegasus spyware. “This spyware can do everything an iPhone user can do on their device and more,” said John Scott-Railton, a senior researcher at Citizen Lab, to The New York Times.
Apple lists the vulnerability as CVE-2021-30860, and described it as a maliciously crafted PDF that could lead to arbitrary code execution.
Devices specifically affected are those with iOS and iPadOS versions prior to 14.8, all devices running macOS versions prior to OSX Big Sur 11.6, and all Apple Watch devices running watchOS 7.6.2 or earlier.
- Apple Security Updates: https://support.apple.com/en-us/HT201222
- The Citizen Lab report: https://citizenlab.ca/2021/09/forcedentry-nso-group-imessage-zero-click-exploit-captured-in-the-wild/
- The New York Times summary: https://www.nytimes.com/2021/09/13/technology/apple-software-update-spyware-nso-group.html