Apple has released security updates for a recently discovered zero-day vulnerability that affects all iPhones, iPads, Macs, and Apple Watches. Citizen Lab, which discovered the vulnerability and was credited with the finding, urges users to immediately update their devices.
The tech giant said that iOS 14.8 for iPhones and iPads, as well as new updates for Apple Watch and macOS, will fix at least one vulnerability that it said “may have been actively exploited.”
Citizen Lab said it has now discovered new artifacts of the ForcedEntry vulnerability, details it first revealed in August as part of an investigation into the use of a zero-day vulnerability that was used to silently hack iPhones belonging to at least one Bahraini activist. .
Last month, Citizen Lab said that the zero-day flaw, so named because it gives companies zero days to implement a fix, took advantage of a flaw in Apple’s iMessage, which was exploited to push the Pegasus spyware, developed by the firm. Israeli NSO Group, on the activist’s phone.
Pegasus gives its government customers almost complete access to a target’s device, including their personal data, photos, messages, and location.
The breach was significant because the flaws exploited the latest iPhone software at the time, both iOS 14.4 and later iOS 14.6, which Apple released in May. But the vulnerabilities also broke the new iPhone defenses that Apple had built into iOS 14, dubbed BlastDoor, which were supposed to prevent silent attacks by filtering potentially malicious code. Citizen Lab calls this particular exploit ForcedEntry for its ability to bypass Apple’s BlastDoor protections.
In its latest findings, Citizen Lab said it found evidence of the ForcedEntry exploit on the iPhone of a Saudi activist, who was running the latest version of iOS at the time. The researchers said the exploit exploits a weakness in the way Apple devices render images on the screen.
Citizen Lab now says that the same ForcedEntry exploit works on all apple devices running, to this day, the latest software.
Citizen Lab said it reported its findings to Apple on September 7. Apple issued updates to the vulnerability, officially known as CVE-2021-30860. Citizen Lab said it attributes the ForcedEntry exploit to NSO Group with high confidence, citing evidence it has seen that it has not previously published.
Citizen Lab researcher John Scott-Railton told TechCrunch that messaging apps, such as iMessage, are increasingly a target of nation-state hacking operations and this latest finding underscores the challenges in securing them.
When contacted, Apple declined to comment. NSO Group declined to answer our specific questions.