According to a new report, Apple has just released security updates for macOS, iOS, iPadOS, watchOS and Safari that patch two vulnerabilities (CVE-2021-30860, CVE-2021-30858) that are being exploited in attacks and the scary part about them is that they’re “zero-click” – meaning that the user doesn’t have to click on a malicious website or an app to launch it.

The article in Help Net Security (Apple fixes “zero-click” iMessage zero-day exploited to deliver spyware (CVE-2021-30860), written by Zeljka Zorz) states that active exploitation of CVE-2021-30860, a integer overflow bug that could be exploited via a maliciously crafted PDF to achieve execution of malicious code on vulnerable devices, was flagged by researchers with The Citizen Lab, an interdisciplinary laboratory based at the Munk School of Global Affairs at the University of Toronto, Canada.

Dubbed FORCEDENTRY, because it allows circumvention of iOS’s BlastDoor security system (which, ironically, was adopted back in January to reinforce iMessage integrity), the zero-day, zero-click exploit targeting CVE-2021-30860 has been recovered from the phone of a Saudi activist infected with NSO Group’s Pegasus spyware.  It’s considered a “zero-day” flaw because the manufacturer has learned of it after it’s deployed, meaning they have zero days to fix it.

Bill Marczak, research fellow at The Citizen Lab, says that the exploit is invisible to the target, and that they believe that it has been in use by NSO Group since at least February 2021.

More details about their findings have been shared in this post, though the researchers refrained from publishing much technical information about CVE-2021-30860 until most users have had the opportunity to implement the provided updates. The flaw affects iOS, macOS (both Big Sur and Catalina) and watchOS.

In the post from The Citizen Lab, the “payload” was described as:

• 27 copies of an identical file with the “.gif” extension. Despite the extension, the file was actually a 748-byte Adobe PSD file. Each copy of this file caused an IMTranscoderAgent crash on the device. These files each had random-looking ten-character filenames.
• Four different files with the “.gif” extension that were actually Adobe PDF files containing a JBIG2-encoded stream. Two of these files had 34-character names, and two had 97-character names.

Citizen Lab forwarded the artifacts of their testing to Apple on Tuesday, September 7. This Monday, Apple confirmed that the files included a zero-day exploit against iOS and MacOS. They designated the FORCEDENTRY exploit CVE-2021-30860 and describe it as “processing a maliciously crafted PDF may lead to arbitrary code execution.”

While the attacks exploiting CVE-2021-30860 are likely to be very targeted and not an immediate danger to the overwhelming majority of users, we don’t know much about those exploiting CVE-2021-30858, so it’s generally a good idea for all users to implement the provided security updates as soon as possible.

Interestingly enough, while the update is available, it isn’t being applied automatically, so you have to go to General\Software Update within Settings to apply it, so you should strongly consider doing that if you have an iPhone, iPad, Mac, Apple Watch or other affected devices.

So, what do you think?  Are you concerned about zero-click malware that doesn’t even require you to click on anything to launch?  Please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by my employer, my partners or my clients. eDiscovery Today is made available solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Today should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.