On September 13, Apple surprised its users with a system update on iPhone, iWatch, iPad and macOS, something that doesn’t happen very often and less often comes with an official release from Apple indicating the importance of installing the update.
All this due to a report from Citizen Lab, where they confirmed that with a malicious PDF document it is possible to exploit the vulnerabilities CVE-2021-30858 and CVE-2021-30860, to execute commands in iOS and macOS. Terrible for the user but you have to know what it means and where this threat comes from.
It all started in February 2021 when the company Forcedentry was analysing an IPhone taken from a Saudi activist and found to be infected with spyware of Israeli origin, called Pegasus, from the company NSO Group. They discovered that there was a totally unknown 0-day, 0-click (no user intervention required) vulnerability that could be effective on any Apple-branded device.
However, in the initial research it was thought that iMessage was the way to exploit this weakness until on 24 August, Citizen Lab published a report showing that these vulnerabilities could and were being exploited using PDF documents containing hidden commands that run on systems and give attackers access to information on these devices.
The most serious aspect of this threat is that it is completely invisible and undetectable to the user. At the very least it has been used by NSO Group, as announced by different media in the week of 14-27 August, when research was made public claiming that activists at the Bahrain Human Rights Centre between June 2020 and February 2021 had been spied on using this attack in conjunction with software known as Pegasus
How it affects you …
There is no doubt that we all handle data and contacts, and our devices are connected to the Internet, so knowing that there is this vulnerability that nobody knew about (0-day) and that allows you to take control and spy on mobile devices and computers of the Apple brand is undoubtedly an opportunity that attackers will not miss.
This set of circumstances makes any IPhone, IPad, IPod, IWatch and MacOS user a potential victim of this threat from now on. Unfortunately for Apple, this is not the first case this year, nor is it the first case originating from the investigation into the Saudi activists’ mobile phones, from which the following threats have been reported:
- In January, three 0-days affecting iOS that were being actively exploited.
- In March, a 0-day reported by researchers but not confirmed to be exploited.
- In April, a 0-day for iOS and a 0-day for macOS, actively exploited by the Shlayer trojan and leading to a flood of signatures for macOS.
- In May, three more 0-days that allow commands to be executed on mobile devices by simply visiting a website, plus a macOS 0-day that bypasses the system’s privacy protections.
- In June, two 0-days actively exploited to affect older mobile devices.
What to do…
It is time to keep Apple devices up to date, immediately install the updates that were released between 13 and 15 September in the https://support.apple.com/en-us/HT201222 bulletin and in the https://support.apple.com/en-us/HT212807 bulletin.
This fixes the weaknesses detected by Citizen Lab and some other researchers, mitigating the possibility that criminals can exploit it and access the information on the devices or deploy malware for espionage or kidnapping.
If you have an IPad, IWatch or a Mac, you should install the updates as soon as possible, because once they are public, they are more likely to be exploited by different criminal groups in cyberspace.