Apple patches zero-day, zero-click NSO Group exploit

Apple released an iOS update Monday that patched a zero-click iMessage exploit credited to spyware vendor NSO Group.

The Citizen Lab, an academic research lab at the University of Toronto, published a post Monday detailing the zero-day exploit as well as the vulnerability facilitating it. The vulnerability, CVE-2021-30860, was described on Apple's iOS 14.8 security update page as, "processing a maliciously crafted PDF may lead to arbitrary code execution."

CVE-2021-30860 is an integer overflow vulnerability that affects Apple's image rendering library. The flaw impacts iPhone 6s and later, all models of iPad Pro, iPad Air 2 and later, iPad fifth generation and later, iPad mini 4 and later, and seventh-generation iPod touch devices. The update fixing the vulnerability is available now.

According to The Citizen Lab's post, the exploit, called "FORCEDENTRY" by the lab, was discovered "while analyzing the phone of a Saudi activist infected with NSO Group's Pegasus spyware" in March. Following its research, artifacts of the exploit were reported to Apple on Sept. 7, and the vulnerability was disclosed and patched Monday.

The lab described the exploit as a zero-day, zero-click exploit against iMessage that is effective against iOS, MacOS and WatchOS devices. The payload included 27 identical copies of a file with a .gif extension "that was actually a 748-byte Adobe PSD file," with each copy causing an IMTranscoderAgent crash on the device. It also included four different .gif files that were in fact "Adobe PDF files containing a JBIG2-encoded stream."

The Citizen Lab linked the exploit to NSO Group, an Israeli vendor that has been accused of selling spyware to government agencies to target dissidents, activists and journalists. In 2018, the company was linked to the deaths of two journalists in the span of a week. Citizen Lab researchers attributed the exploit via an analysis of forensic artifacts within the spyware on the journalist's phone as well as a process name, "setframed," that researchers said "was used in an attack with NSO Group's Pegasus spyware on an Al Jazeera journalist in July 2020."

An NSO Group spokesperson sent the following statement to SearchSecurity as a PDF: "NSO Group will continue to provide intelligence and law enforcement agencies around the world with life-saving technologies to fight terror and crime."

Apple praised Citizen Lab in its statement on the exploit, which was attributed to Ivan Krstić, head of Apple Security Engineering and Architecture.

"After identifying the vulnerability used by this exploit for iMessage, Apple rapidly developed and deployed a fix in iOS 14.8 to protect our users," Krstić said. "We'd like to commend Citizen Lab for successfully completing the very difficult work of obtaining a sample of this exploit so we could develop this fix quickly. Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals. While that means they are not a threat to the overwhelming majority of our users, we continue to work tirelessly to defend all our customers, and we are constantly adding new protections for their devices and data."

CISA published an advisory Monday evening encouraging users and administrators to review relevant security update pages and "apply the necessary updates."

The Citizen Lab did not respond to SearchSecurity's request for comment.

Alexander Culafi is a writer, journalist and podcaster based in Boston.