Apple Releases a Patch to Secure iMessage

Apple is urging all users of Apple devices (iPad, Macs, iPhone, Apple Watch, etc.) to update their devices immediately with the latest security patch, which fixes a software vulnerability in iMessage.

What is the Danger?

Multiple news outlets are reporting about a zero-click, zero-day Apple ForcedEntry flaw in iMessage that allowed the NSO Group to install spyware on users’ devices.

Apple released the update late on Monday (version 14.8) for macOS, watchOS, iOS, and iPadOS just in time for the company’s big reveal on Tuesday, where they plan to announce the newest lineup of products.

The security patch fixed a flaw in iMessage that Apple coyly implies “may have been actively exploited.”

Threatpost explained that,

“The ForcedEntry exploit was particularly notable in that it was successfully deployed against the latest iOS versions – 14.4 & 14.6 – blowing past Apple’s new BlastDoor sandboxing feature to install spyware on the iPhones of the Bahraini activists.”

How Was it Discovered?

According to Threatpost,

“Citizen Lab first discovered the never-before-seen, zero-click exploit, which it detected targeting iMessaging, last month. It’s allegedly been used to illegally spy on Bahraini activists with NSO Group’s Pegasus spyware, according to the cybersecurity watchdog.”

On Monday, Citizen Lab posted a public notice claiming that in March, they “examined the phone of a Saudi activist who requested anonymity and determined that the phone had been infected with NSO Group’s Pegasus spyware. Last Tuesday, Sept. 7, Citizen Lab forwarded artifacts from two types of crashes on another phone that had been infected with Pegasus, suspecting that both infections showed parts of the ForcedEntry exploit chain,” Threatpost explains.

The flaw has been given the designation CVE-2021-30860 and was discovered a week ago by Citizen Labs and reported to Apple.

Data Breach Today adds,

“The flaw affects iOS before version 14.8, macOS versions before Big Sur 11.6m Catalina before Security Update 2021-005, and watchOS before 7.6.2. The patch fixes an integer overflow vulnerability in Apple’s image rendering library, which is called CoreGraphics.”

The most troubling aspect of this vulnerability is that it does not require any interaction from the user to be potent. Therefore, any zero-click issue will be more dangerous than other types of malware which require user action.

Citizen Lab nicknamed the flaw “Forcedentry” and claimed it had been used since February to infect devices with Pegasus spyware. Data Breach Today says,

“Citizen Lab says it found indications that Forcedentry had been used against a Saudi activist and activists in Bahrain after examining their devices. Forensic clues indicate that it was likely developed by the NSO Group.”

Security experts explain that iMessage and similar platforms use a variety of file formats; therefore, it puts these apps in more danger than other types of programs. The wide target affords bad actors a larger surface upon which to attack.

How Can Users Ensure Their Safety?

Threat researchers are concerned that as cybercriminals devise ways to infiltrate devices without any interaction from the user and access the camera, microphone, and take over phone data, the playing field is decidedly not leveled. Users need to step up their security game and ensure they do not install any software from untrusted sources. They must keep their devices updated with the latest security patches.

The best defense for any user will be monitoring their device for any suspicious activity and keeping a close eye on their private data. Other tips include:

• Never click a link in SMS text or email.
• Use very strong passwords on all accounts.
• Turn on two-factor authentication for all website apps whenever possible.
• Never share personal information with anyone unsolicited.
• Educate yourself on social engineering tactics and phishing emails.
• Remain alert and always be on the lookout for scams and fraud.