Apple moves against zero-click exploit with patch


Apple engineers have been working overtime to correct a problem with a known exploit that could target iPhones and other Apple devices.


Today, Lance Whitney at TechRepublic reports Apple is rolling out a patch for an iMessage-related exploit called FORCEDENTRY that targets image rendering libraries.


“The flaw allowed hackers to spy on devices without the knowledge of users and was exploited by the NSO Group’s Pegasus spyware to compromise the phones of journalists, activists and other prominent individuals,” Whitney writes.


Unlike many common threats to individual devices that we’ve heard about in recent years, this bug has nothing to do with social engineering – it’s a zero-click threat that doesn’t require users to unwittingly click on a malicious link or otherwise assist hackers in getting access. According to the available reporting, it comes from the NSO Group’s Pegasus spyware that’s been on the radar since 2016.


The problem was reported to Apple by cybersec group Citizen Lab.

“After identifying the vulnerability used by this exploit for iMessage, Apple rapidly developed and deployed a fix in iOS 14.8 to protect our users,” Apple said in a statement reported by The Wall Street Journal. “We’d like to commend Citizen Lab for successfully completing the very difficult work of obtaining a sample of this exploit so we could develop this fix quickly.”

Zero-click exploits are concerning to businesses that have spent a lot of time educating employees on what not to do to protect networks. As in the Bring Your Own Device (BYOD) phenomenon, where planners worried about people misusing devices with company data on them, companies now have to worry that zero-click exploits will target these endpoints effectively.

“Zero-click attacks are hard to detect given their nature and hence even harder to prevent,” writes Nandagopal Rajan at The Indian Express. “Detection becomes even harder in encrypted environments where there is no visibility on the data packets being sent or received. One of the things users can do is to ensure all operating systems and software are up to date so that they would have the patches for at least vulnerabilities that have been spotted.”

Look for more on this and other similar vulnerabilities that are making waves in the security community.