Security News > 2021 > September > Apple emergency patches fix zero-click iMessage bug used to inject NSO spyware
Apple on Monday issued security patches for its mobile and desktop operating systems, and for its WebKit browser engine, to address two security flaws, at least one of which was, it is said, used by autocratic governments to spy on human rights advocates.
On August 24, 2021, researchers with the organization reported that the iPhones of nine Bahraini activists had been hacked between June 2020 and February 2021 using NSO Group's Pegasus spyware and two zero-click iMessage exploits.
The name FORCEDENTRY is a reference to the exploit's ability to bypass a defense Apple implemented in iOS 14 called Blast Door that was supposed to safeguard iMessage traffic.
"Our latest discovery of yet another Apple zero day employed as part of NSO Group's arsenal further illustrates that companies like NSO Group are facilitating 'despotism-as-a-service' for unaccountable government security agencies," Citizen Lab researchers said in a post on Monday.
Dubbed "Synoptic Acanthopterygian" by Vulnonym, it's a use-after-free vulnerability that allows malicious web content processed by Apple's WebKit rendering engine - which Apple requires all browsers on iOS to use - to execute arbitrary code.
The Register asked Apple to comment and the company, ever concerned that its customers should be well-informed, did not respond.
News URL
https://go.theregister.com/feed/www.theregister.com/2021/09/13/apple_ios_macos_security_fixes/
Related news
- Apple Updates Spyware Alert System to Warn Victims of Mercenary Attacks (source)
- Apple: Mercenary spyware attacks target iPhone users in 92 countries (source)
- Apple stops warning of 'state-sponsored' attacks, now alerts about 'mercenary spyware' (source)
- Apple Alerts iPhone Users in 92 Countries to Mercenary Spyware Attacks (source)