Apple Plugs iMessage Pegasus Exploit with iOS 14.8 Update
Today, Apple released iOS 14.8 on the eve of the iPhone 13 launch. While not unusual to release a security patch. what is unusual are the timing and contents of this release. Please, update your iPhone, today, do not wait for iOS 15.
You can read the full details of the release notes here, but the interesting bits are contained in CVE-2021-30860:
Impact: Processing a maliciously crafted PDF may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
How was this exploit used?
CitizenLab.ca has identified and confirmed that this CVE has been used and tied to the NSO Group's Pegasus spyware. Dubbed 'FORCEDENTRY' this exploit via Apple's iMessage functions as follows:
- In March 2021, a backup of an iTunes iPhone backup belonging to an anonymous Saudi activist was determined to have been compromised with Pegasus
- FYI, an open-source tool called 'MVT' can be used to determine potential Pegasus compromise:
- It was determined that several ".gif" files were received on the device before exploitation.
- Four of these ".gif" files were determined to actually be PDFs
- The remaining ".gif" files were actually Adobe PSD files which cause an IMTranscoderAgent crash on the device.
- As Citizen lab puts it:
The exploit works by exploiting an integer overflow vulnerability in Apple’s image rendering library (CoreGraphics).
- Apple confirmed the presence of a zero-day exploit which enabled the 'FORCEDENTRY' exploit chain
- This exploit led to a forensic artifact dubbed "CASCADEFAIL" (part of the ZLIVEUSAGE table) which indicated the presence of Pegasus
Again for more information, please visit the Citizen Lab post.
From what I can gather, the exploit goes like this:
- An iMessage is received with numerous ".gif" files/images
- These files contain a payload that enables 'FORCEDENTRY' exploit chain
- 'FORCEDENTRY' uses a zero-day based on CVE-2021-30860 to install the Pegasus malware.