Security News > 2021 > September > Apple fixes “zero-click” iMessage zero-day exploited to deliver spyware (CVE-2021-30860)

Apple has released security updates for macOS, iOS, iPadOS, watchOS and Safari that patch two vulnerabilities that are being exploited in attacks in the wild.

Active exploitation of CVE-2021-30860, a integer overflow bug that could be exploited via a maliciously crafted PDF to achieve execution of malicious code on vulnerable devices, was flagged by researchers with The Citizen Lab, an interdisciplinary laboratory based at the Munk School of Global Affairs at the University of Toronto, Canada.

Dubbed FORCEDENTRY, because it allows circumvention of iOS's BlastDoor security system, the zero-day, zero-click exploit targeting CVE-2021-30860 has been recovered from the phone of a Saudi activist infected with NSO Group's Pegasus spyware.

Apple says it's an use after free issue in WebKit, that it affects macOS Big Sur, iOS, iPadOS and Safari, that it can be exploited to achieve RCE if the vulnerable component processes maliciously crafted web content, and that it has been reported by an anonymous researcher.

While the attacks exploiting CVE-2021-30860 are likely to be very targeted and not an immediate danger to the overwhelming majority of users, we don't know much about those exploiting CVE-2021-30858, so it's generally a good idea for all users to implement the provided security updates as soon as possible.

While we're on the subject of actively exploited vulnerabilities, Google Project Zero security researcher Maddie Stone took to Twitter yesterday to point out that the latest Chrome release fixes two zero-days with exploits in the wild.

News URL

http://feedproxy.google.com/~r/HelpNetSecurity/~3/KGd4lTcIjOQ/