The Cupertino giant has recently released software updates for almost all its products. These updates predominantly revolve around one major fix – the FORCEDENTRY bug that NSO exploited to target Apple, more specifically, iPhone users.
Apple Fixed FORCEDENTRY Bug
This week, Apple has fixed the serious security bug that NSO exploited to target iPhone users with the infamous Pegasus malware.
The zero-click vulnerability first caught attention when researchers from CitizenLab reported about it. They noticed that the undisclosed iOS zero-click flaw could allow bypassing Blastdoor. The researchers observed real-time exploitation of the bug as a zero-day against iOS 14.4 and 14.6.
As a workaround, they advised users to disable iMessage for communication. But that was certainly not viable, hence, the bug demanded urgent attention from Apple.
Eventually, the tech giant has now fixed the bug. And it seems it not only affected iOS users, but also other users.
Precisely, Apple has fixed this vulnerability, identified as CVE-2021-30860, with the release of iOS 14.8, macOS Big Sur 11.6, and watchOS 7.6.2. Also, they have addressed the same with the security update 2021-005 Catalina.
Apple described this vulnerability as an integer overflow that the tech giant addressed with improved input validation. Regarding the impact of this bug, Apple stated,
Processing a maliciously crafted PDF may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
Though Apple didn’t precisely mention anything about how the exploits happened, CitizenLab confirmed that this is the same FORCEDENTRY bug they highlighted. Describing more about the vulnerability, they stated in their recent post,
The exploit works by exploiting an integer overflow vulnerability in Apple’s image rendering library (CoreGraphics).
Another Security Fix For Safari
Alongside FORCEDENTRY, Apple has also fixed another security bug in its Safari WebKit. The firm described it as use after free vulnerability that they addressed with improved memory management.
Apple has attributed the report for this bug (CVE-2021-30858) to an anonymous researcher. Describing its impact, Apple’s advisory reads,
Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
The firm has fixed the vulnerability with the release of Safari 14.1.2. It has also rolled out this patch with the latest iOS 14.8 and macOS Big Sur updates.
Now, all Apple users should ensure updating their devices with the recent fixes to avoid facing any security risks.