Apple has pushed out emergency patches for two zero day vulnerabilities under active attack — including one that lets attackers gain access to a device simply by sending a maliciously crafted PDF file. That critical vulnerability, allocated CVE-2021-30860, affects all iPhones with iOS versions prior to 14.8, all Mac computers with operating system versions prior to OSX Big Sur 11.6, and all Apple Watches prior to watchOS 7.6.2.
That zero day was identified by Citizen Lab — a Canadian organisation that analyses “digital threats to civil society” — after analysis of the iPhone belonging to a Saudi Arabian activist. Citizen Lab said that “we observed multiple distinctive elements that allowed us to make a high-confidence attribution to NSO Group.”
The zero day targets Apple’s image rendering library. Citizen Lab has detailed its forensics in a write-up here, noting that “ubiquitous chat apps have become a major target for the most sophisticated threat actors, including nation state espionage operations and the mercenary spyware companies that service them. As presently engineered, many chat apps have become an irresistible soft target. Without intense engineering focus, we believe that they will continue to be heavily targeted, and successfully exploited.”
“The exploit works by exploiting an integer overflow vulnerability in Apple’s image rendering library (CoreGraphics). We are publishing limited technical information about CVE-2021-30860 at this time” Citizen Lab said, pointing to the find of several malicious files with the “.gif” extension that were actually a 748-byte Adobe PSD files and Adobe PDF files containing a JBIG2-encoded stream.
The controversial Israeli spyware company has previously been linked with exploits targeting WhatsApp and other systems. It is currently being sued by WhatsApp owner Facebook — with Cisco, GitHub, Google, LinkedIn, Microsoft, VMWare and the Internet Association filing an amicus brief in support of that legal campaign in December 2020. WhatsApp alleges that NSO Group software was used to hack 1,400 devices via a vulnerability in the messaging service, with Microsoft VP Tom Burt dubbing the group “mercenaries” in a 2020 blog.
The other Apple zero day, allocated CVE-2021-30858, was submitted by an anonymous researcher. Apple described it as a use after free issue, saying “processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.”