Security News > 2021 > September > Apple emergency patches fix zero-click iMessage bug used to inject NSO spyware

Apple emergency patches fix zero-click iMessage bug used to inject NSO spyware
2021-09-13 23:06

Apple on Monday issued security patches for its mobile and desktop operating systems, and for its WebKit browser engine, to address two security flaws, at least one of which was, it is said, used by autocratic governments to spy on human rights advocates.

On August 24, 2021, researchers with the organization reported that the iPhones of nine Bahraini activists had been hacked between June 2020 and February 2021 using NSO Group's Pegasus spyware and two zero-click iMessage exploits.

The name FORCEDENTRY is a reference to the exploit's ability to bypass a defense Apple implemented in iOS 14 called Blast Door that was supposed to safeguard iMessage traffic.

"Our latest discovery of yet another Apple zero day employed as part of NSO Group's arsenal further illustrates that companies like NSO Group are facilitating 'despotism-as-a-service' for unaccountable government security agencies," Citizen Lab researchers said in a post on Monday.

Dubbed "Synoptic Acanthopterygian" by Vulnonym, it's a use-after-free vulnerability that allows malicious web content processed by Apple's WebKit rendering engine - which Apple requires all browsers on iOS to use - to execute arbitrary code.

The Register asked Apple to comment and the company, ever concerned that its customers should be well-informed, did not respond.


News URL

https://go.theregister.com/feed/www.theregister.com/2021/09/13/apple_ios_macos_security_fixes/

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Apple 72 238 1567 2279 265 4349