Apple patches ForcedEntry vulnerability used by spyware firm NSO

Apple has issued a patch for a recently discovered vulnerability that has reportedly been exploited by government customers of Israeli cyber security firm NSO Group to install its Pegasus spyware on target Apple devices.

Listed as CVE-2021-30860, the arbitrary code execution vulnerability was uncovered by The Citizen Lab – which has been investigating and campaigning against the use of NSO’s products by various governments to spy on activists, journalists and politicians.

The zero-day, which The Citizen Lab has dubbed ForcedEntry, was discovered during analysis of a Saudi activist’s phone that had been infected with Pegasus, and first disclosed in August 2021. Following its investigation, the group claimed NSO has been using CVE-2021-30860 since February 2021. ForcedEntry is an integer overflow vulnerability that exists in Apple’s CoreGraphics image rendering library and can be exploited if the target processes a maliciously crafted PDF file.

The Citizen Lab said ForcedEntry impacts all iPhones running iOS versions before 14.8, all Mac computers running OSX prior to Big Sur 11.6 Security Update 2021-005 Catalina, and Apple Watches running prior to watchOS 7.6.2. In its disclosure, Apple additionally stated that iPhone 6s and later, all models of iPad Pro, iPad Air 2 and later, iPad 5^th generation and later, iPad mini 4 and later, and iPod touch 7^th generation are at risk.

“Despite promising their customers the utmost secrecy and confidentiality, NSO Group’s business model contains the seeds of their ongoing unmasking,” wrote The Citizen Lab’s research team members, Bill Marczak, John Scott-Railton, Bahir Abdul Razzak, Noura Al-Jizawi, Siena Anstis, Kristin Berdan and Ron Deibert, in a disclosure blog.

“Selling technology to governments that will use the technology recklessly in violation of international human rights law ultimately facilitates discovery of the spyware by investigatory watchdog organisations, as we and others have shown on multiple prior occasions, and as was the case again here.

“Our latest discovery of yet another Apple zero day employed as part of NSO Group’s arsenal further illustrates that companies like NSO Group are facilitating ‘despotism as a service’ for unaccountable government security agencies. Regulation of this growing, highly profitable, and harmful marketplace is desperately needed,” they added.

Apple’s head of security engineering and architecture Ivan Krstíc commended the research team for their work in obtaining a sample of ForcedEntry so that a patch could be quickly developed.

In a statement to the UK’s Guardian newspaper, Krstíc said attacks such as the ones developed at NSO were sophisticated, often short-lived, and used in limited, specific circumstances, and as such were less likely to impact the majority of users of Apple products.

Nick Tausek, security solutions architects at Swimlane, commented: “This zero-day, zero-click vulnerability is significant because it requires no user interaction and impacts all versions of Apple's iOS, OSX, and watchOS.

“While the first inclination is to focus the impact to consumers, the much larger danger lies within companies whose employees are using their personal Apple devices for work.

“To prevent vulnerabilities such as this one from compromising employees and the organisation’s sensitive data, companies should look to centralise and automate their current security threat detection, response and investigation protocols into a single platform.

“By embracing comprehensive security automation, security teams can also free up time to keep up with the evolution of threat tactics, ultimately enhancing security preparedness,” he added.