iPhone users, drop what you’re doing and update now: Apple has issued a warning about a ream of code-execution vulnerabilities – some of which are remotely exploitable – and experts are emphatically recommending an ASAP update to version 14.7 of iOS and iPadOS.
Unfortunately, you aren’t getting a fix for the flaw that makes your iPhones easy prey for Pegasus spyware. As headlines have focused on all week, a zero-click zero-day in Apple’s iMessage feature is being exploited by NSO Group’s notorious Pegasus mobile spyware: A spyware blitz enabled by a bug that has given the security community pause about the security of Apple’s closed ecosystem.
The patches address a total of 40 vulnerabilities, 37 of which are in iPhones. The most severe of the flaws could allow for arbitrary code execution with kernel or root privileges. See below for a full list of the vulnerabilities and their details.
Besides fixing other, non-Pegasus-associated vulnerabilities in iOS and iPadOS, Wednesday’s security updates also squashed bugs in macOS Big Sur 11.5 and in macOS Catalina.
Fortunately, as of now, there are no reports of these vulnerabilities being exploited in the wild. But as noted by MS-ISAC, the Multi-State Information Sharing and Analysis Center, the risk to large and medium-sized government and business entities is rated high. The flaws are rated medium-risk for small business or government entities, while the risk to home users is considered low.
WebKit: The Little Engine That Could…Blow Up
With regards to the security updates in iOS 14.7 and iPad 14.7, four of them are in WebKit, the engine that powers Apple’s Safari browser. All four could lead to arbitrary code execution. Exploitation would require a user to download maliciously crafted web content.
The vulnerabilities – CVE-2021-30758, CVE-2021-30795, CVE-2021-30797 and CVE-2021-30799 – are due to type confusion, use-after-free and memory-corruption issues in WebKit.
IOS 14.7 also fixes a known issue – CVE-2021-30800 – where joining a malicious Wi-Fi network may result in a denial of service or arbitrary code execution.
A Basket of 40 Bad (But Now Fixed) Apples
Below are details of all 40 vulnerabilities in Apple macOS/iOS:
- A shortcut may be able to bypass internet permission requirements due to an input-validation issue in ActionKit (CVE-2021-30763)
- A memory-corruption issue in the AMD kernel may lead to arbitrary code execution with kernel privileges (CVE-2021-30805)
- Opening a maliciously crafted file may lead to unexpected AppKit termination or arbitrary code execution (CVE-2021-30790)
- A local attacker may be able to cause unexpected application termination or arbitrary code execution via Audio (CVE-2021-30781)
- A memory-corruption issue within AVEVideoEncoder may lead to arbitrary code execution with kernel privileges (CVE-2021-30748)
- A malicious application may be able to gain root privileges due to a memory corruption issue in Bluetooth (CVE-2021-30672)
- Processing a maliciously crafted audio file may lead to arbitrary code execution due to a memory corruption issue in CoreAudio (CVE-2021-30775)
- Playing a malicious audio file may lead to unexpected application termination due to a logic issue with input validation in CoreAudio (CVE-2021-30776)
- Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution due to a race condition in CoreGraphics (CVE-2021-30786)
- A malicious application may be able to gain root privileges via CoreServices, and a sandboxed process may be able to circumvent restrictions (CVE-2021-30772, CVE-2021-30783)
- A malicious application may be able to gain root privileges due to an injection issue in CoreStorage (CVE-2021-30777)
- Processing a maliciously crafted font file may lead to arbitrary code execution or process memory disclosure due to out-of-bounds reads in CoreText (CVE-2021-30789, CVE-2021-30733)
- A malicious application may be able to gain root privileges due to a logic issue within Crash Reporter (CVE-2021-30774)
- A malicious application may be able to gain root privileges due to an out-of-bounds write issue in CVMS (CVE-2021-30780)
- A sandboxed process may be able to circumvent sandbox restrictions due to a logic issue in dyld (CVE-2021-30768)
- A malicious application may be able to access Find My data due to a permissions issue (CVE-2021-30804)
- Processing a maliciously crafted font file may lead to arbitrary code execution due to integer and stack overflows in FontParser (CVE-2021-30760, CVE-2021-30759)
- Processing a maliciously crafted tiff file with FontParser may lead to a denial-of-service or potentially disclose memory contents (CVE-2021-30788)
- A malicious application may be able to access a user’s recent Contacts due to a permissions issue in Identity Services (CVE-2021-30803)
- A malicious application may be able to bypass code signing checks due to a code signature validation issue in Identity Services (CVE-2021-30773)
- Processing maliciously crafted web content may lead to arbitrary code execution due to a use after free iddue in Image Processing (CVE-2021-30802)
- Processing a maliciously crafted image with may lead to arbitrary code execution due to a buffer overflow in ImageIO (CVE-2021-30779, CVE-2021-30785)
- An application may be able to cause unexpected system termination or write kernel memory due to an issue in Intel Graphics Driver (CVE-2021-30787)
- An application may be able to execute arbitrary code with kernel privileges due to an out-of-bounds write issue in Intel Graphics Driver (CVE-2021-30765, CVE-2021-30766)
- An unprivileged application may be able to capture USB devices due to an issue in IOUSBHostFamily (CVE-2021-30731)
- A local attacker may be able to execute code on the Apple T2 Security Chip due to multiple logic issues in IOKit (CVE-2021-30784)
- An application may be able to execute arbitrary code with kernel privileges due to logic issues in state management and double free issues in the kernel (CVE-2021-30703, CVE-2021-30793)
- A malicious attacker with arbitrary read and write capability may be able to bypass Pointer Authentication due to a kernel logic issue (CVE-2021-30769)
- An attacker that has already achieved kernel code execution may be able to bypass kernel memory mitigations due to a kernel logic issue (CVE-2021-30770)
- A malicious application may be able to bypass Privacy preferences due to entitlement issues in Kext Management (CVE-2021-30778)
- A malicious application or sandboxed process may be able to break out of its sandbox or restrictions due to environment sanitization and access restriction issues in LaunchServices (CVE-2021-30677, CVE-2021-30783)
- A remote attacker may be able to cause arbitrary code execution due to an issue in libxml2 (CVE-2021-3518)
- Multiple issues were found in libwebp (CVE-2018-25010, CVE-2018-25011, CVE-2018-25014, CVE-2020-36328, CVE-2020-36329, CVE-2020-36330, CVE-2020-36331)
- Processing a maliciously crafted image may lead to a denial of service due to a logic issue in Model I/O (CVE-2021-30796)
- Processing a maliciously crafted image may lead to arbitrary code execution due to an out-of-bounds write in Model I/O (CVE-2021-30792)
- Processing a maliciously crafted file may disclose user information due to an out-of-bounds read in Model I/O (CVE-2021-30791)
- A malicious application may be able to access restricted files due to an issue in Sandbox (CVE-2021-30782)
- A malicious application may be able to bypass certain Privacy preferences due to a logic issue in TCC (CVE-2021-30798)
- Processing maliciously crafted web content may lead to arbitrary code execution due to type confusion, use after free, and memory corruption issues in WebKit (CVE-2021-30758, CVE-2021-30795, CVE-2021-30797, CVE-2021-30799)
- Joining a malicious Wi-Fi network may result in a denial of service or arbitrary code execution (CVE-2021-30800)
On Wednesday, MS-ISAC urged Apple users to apply appropriate patches to vulnerable systems “immediately after appropriate testing.”
It’s easy: Go to Settings > General > Software Update and follow the prompts.
In an advisory email, MS-ISAC offered these recommendations:
- Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
- Remind users not to download, accept or execute files from untrusted and unknown sources.
- Remind users not to visit untrusted websites or follow links provided by untrusted or unknown sources.
- Evaluate read, write, and execute permissions on all newly installed software.
- Apply the Principle of Least Privilege to all systems and services.
Apple released the iOS 14.7 update on Monday, but the company kept the crucial, now-released list of security-fix details that typically come with iOS upgrades close to the vest. As is its wont, the company held back details in order to protect customers, giving them a chance to update before hanging out dirty laundry for attackers to grab.
Meanwhile, the update for iPadOS is now out: iPadOS 14.7 was released along with the security details yesterday, on Wednesday.
Time to Examine iPhone’s Reputation for Security
Oliver Tavakoli, CTO at the AI cybersecurity company Vectra, noted that Apple’s marketing on security and privacy – “which is backed up by actions they have actually taken” – has resulted in adoption of iPhones by activists, politicians and journalists “at a rate which substantially exceeds adoption within the public at large.”
Is the same true for terrorists and criminals – NSO Group’s purported targets? It’s “up for debate,” Tavakoli told Threatpost on Thursday. Regardless, the proliferation of iPhones by those belonging to groups historically targeted with spyware force us to shine a spotlight on the question of whether Apple’s security can bear the weight of protecting those people.
“Given that NSO’s customers want the ability to monitor Apple devices, it’s pretty clear that NSO is expending substantial effort on exploits for the iOS platform,” he said.
Not to be too hard on Apple: Software will always have flaws, particularly with ever more functionality added to a platform. But Tavakoli feels that “zero-click exploits that can be carried out by perfect strangers (rather than someone on your contact list who has previously been compromised)” are “in a class by themselves.”
Apple shouldn’t just patch the iMessage vulnerability “with a sense of urgency,” he said. The company “should also provide mechanisms which reduce the attack surface available to people not on your contact list.”
Dirk Schrader with New Net Technologies agreed: “No device, and no operating system, is 100 percent error-free,” he observed to Threatpost on Thursday. Case in point is the latest Wi-Fi bug for iPhones: That type of bug that can fetch top dollar on exploit markets, most particularly for iOS vulnerabilities.
“Especially for companies alike to NSO, it is vital to keep a list of exploitable bugs, and the grey market for these bugs is huge, with amounts north of $1 million paid for exploitable bugs identified in iOS,” Schrader said.
Bug-bounty programs can help, but they won’t shut down that grey market and its huge payouts, he continued. That makes fixing the iMessage bug crucial: “Fixing these bugs is not easy,” Schrader noted. “NSO will certainly not reveal the details, providing a responsible disclosure about one of its key revenue generating assets. In order to reinstate that claim of being the most secure device, it will be crucial for Apple to find and fix the bug as fast as possible and to report the details about.”
Sean Wright, principal application security engineer at Immersive Labs, called the iMessage flaw “unexpected,” given Apple’s reputation for security. The company is aware of it being used by Pegasus spyware, although Apple has said that there’s only limited danger to individuals. But that doesn’t mean that, as with any vulnerability, it won’t lead to a wider likelihood of risk.
“The concern is that it shines a light on the application and criminal elements discover how to exploit it at greater scale,” Wright told Threatpost. “This puts the onus on Apple to patch as soon as possible.
“Some have also criticized what they perceive to be a lack of transparency from the company on the problem,” Wright continued. “With devices such as this being central to the lives of so many, those who set the tone for the technology sector are typically held to high standards so people can take action and effectively protect themselves.”
072221 12:51 UPDATE 1: Added comments from Sean Wright.
072321 08:47 UPDATE 2: Corrected typo in identifying CVE-2021-30797.
Check out our free upcoming live and on-demand webinar events – unique, dynamic discussions with cybersecurity experts and the Threatpost community.