Apple has released a package of new updates for iOS, iPadOS, watchOS, macOS and Safari to fix two bugs (CVE-2021-30858) and CVE-2021-30860, which are actively used to attack users of Apple devices.
One of them is a mistake that security researchers at Citizen Lab say was most likely used by Israeli surveillance software maker NSO Group to allow government agencies to install spyware on the phones of journalists, lawyers and activists. The researchers say the error allowed the installation without a single click (meaning the target did not have to do anything to be infected) of Pegasus spyware, which allegedly could steal data and passwords from the device and activate the phone’s microphone or camera.
The abuse of this vulnerability called “ForcedEntry” became known last month, when Citizen Lab announced that the bug was successfully used on phones with iOS 14.6. ForcedEntry is activated only by sending a malicious message to the target. The bug undermines a new security feature called BlastDoor that Apple introduced in iOS 14 to prevent click-free intrusions by filtering unreliable data sent via iMessage.
“Our latest discovery of another Apple Zero Day that has become part of the NSO Group’s arsenal further illustrates that companies like the NSO Group enable despotism as a service to irresponsible state security agencies.” said Citizen Lab researchers.
“Ubiquitous chat apps have become a major target for the most sophisticated threat actors, including government spy operations and the mercenary spy companies that serve them. As they are currently designed, many chat apps have become an irresistible target,” the researchers said.
Citizen Lab said an unnamed Saudi activist found an unprecedented malware on the phone: the exploitation chain is activated when victims receive a text message containing a malicious GIF image that is actually an Adobe PSD (Photoshop document) and PDF files designed to crash the iMessage component responsible for automatic image rendering and application of monitoring tools.
With this set of the latest updates, Apple has patched a total of 15 zero-day vulnerabilities since the beginning of this year.
Apple iPhone, iPad, Mac and Apple Watch users are advised to update their software immediately to minimize any potential threats arising from the active exploitation of these bugs.
Source: Informacija.rs by www.informacija.rs.
*The article has been translated based on the content of Informacija.rs by www.informacija.rs. If there is any problem regarding the content, copyright, please leave a report below the article. We will try to process as quickly as possible to protect the rights of the author. Thank you very much!
*We just want readers to access information more quickly and easily with other multilingual content, instead of information only available in a certain language.
*We always respect the copyright of the content of the author and always include the original link of the source article.If the author disagrees, just leave the report below the article, the article will be edited or deleted at the request of the author. Thanks very much! Best regards!