Apple fixes zero-day “FORCEDENTRY” operated by Pegasus spyware

Apple released several security updates this week to address a “FORCEDENTRY” vulnerability on iOS devices. The zero click, zero day vulnerability has been actively exploited by Pegasus, a spyware application developed by the Israeli company NSO Group, known to target activists, journalists and public figures around the world.

Tracked as CVE-2021-30860, the vulnerability requires little or no interaction from an iPhone user to be exploited, hence the name “FORCEDENTRY”.

Discovered on the iPhone of a Saudi activist

In March, Citizen Lab researchers decided to analyze the iPhone of an anonymous Saudi activist who was targeted by NSO Group’s Pegasus spyware. They obtained an iTunes backup of the device and a review of the dump revealed 27 copies of a mysterious GIF file in various locations except the files were not pictures.

These were Adobe Photoshop PSD files saved with a “.gif” extension; Insightful researchers determined that the files were “sent to the phone just before it was hacked” with Pegasus spyware.

“Despite the extension, the file was actually a 748 byte Adobe PSD file. Each copy of this file caused a IMTranscoderAgent crash on the device, ”the researchers explained in their report.

Because these crashes resembled behaviors previously observed by the same researchers on the hacked iPhones of nine Bahraini activists, the researchers suspected that the GIFs were part of the same exploit chain. A few other fake GIFs were also present on the device; they were considered malicious Adobe PDF files with longer file names.

“The Citizen Lab disclosed the vulnerability and code to Apple, which attributed the FORCEDENTRY CVE-2021-30860 vulnerability and described the vulnerability as’ Processing a maliciously crafted PDF may lead to the execution of arbitrary code ‘”, explained the authors of the report.

Researchers say the vulnerability has been exploited remotely by the NSO Group since at least February 2021 to infect the latest Apple devices with Pegasus spyware.

Apple publishes several security advisories

Apple yesterday released several security updates to fix CVE-2021-30860 on macOS, watchOS, and iOS devices. Apple claims that the vulnerability can be exploited by “processing a maliciously crafted PDF” and granting an attacker code execution capabilities.

“Apple is aware of a report that this issue may have been actively exploited,” Apple wrote in one of the notices, not releasing any further information on how the flaw could be exploited.

IPhone and iPad users should install the latest versions of the operating system, iOS 14.8 and iPadOS 14.8, to fix the flaw. Mac users should upgrade to Catalina 2021-005 or macOS Big Sur 11.6. Apple Watch users should get watchOS 7.6.2. All versions prior to the corrected versions are at risk.

Another Safari browser execution of arbitrary code vulnerability has been reported by an anonymous researcher. Tracked as CVE-2021-30858, the Use After Free Use vulnerability was also addressed by an update released in Safari 14.1.2.

“We all carry very sophisticated personal devices that have profound implications for privacy. There are many examples of [these risks], like app data collection – which Apple recently decided to curb with its application tracking transparency framework, ”Jesse Rothstein, CTO and co-founder of network security company ExtraHop, told Ars. “Any sufficiently sophisticated system has security vulnerabilities that can be exploited, and cell phones are no exception.”

“Pegasus shows how unknown vulnerabilities can be exploited to access highly sensitive personal information,” said Rothstein. “The NSO group is an example of how governments can essentially outsource or buy militarized cyber capacity. In my opinion, it’s no different from arms trafficking – it’s just not regulated that way. Businesses will still need to fix their vulnerabilities, but regulations will help prevent some of these cyber weapons from being misused or falling into the wrong hands. “