iPhone users – update now!: Apple has issued a warning about a ream of code-execution vulnerabilities – some of which are remotely exploitable & experts are recommending an ASAP update to version 14.7 of iOS & iPadOS.
The ream of bugs includes some remotely exploitable code execution flaws. To come: a fix for what makes iPhones easy prey for Pegasus spyware.
Pegasus
Unfortunately, no fix for the flaw that makes your iPhones easy prey for Pegasus spyware. As headlines have focused on, a zero-click zero-day in Apple’s iMessage feature is being exploited by NSO Group’s notorious Pegasus mobile spyware: A spyware epidemic enabled by a bug that has given the security community pause about the security of Apple’s closed ecosystem.
The patches address a total of 40 vulnerabilities, 37 of which are in iPhones. The most severe of the flaws could allow for arbitrary code execution with kernel or root privileges. See below for a full list of the vulnerabilities & their details.
Vulnerabilities Being Exploited
Besides fixing other, non-Pegasus-associated vulnerabilities in iOS & iPadOS, Wed’s security updates also squashed bugs in macOS Big Sur 11.5 & in macOS Catalina.
As yet, there are no reports of these vulnerabilities being exploited in the wild. But as noted by MS-ISAC, the Multi-State Information Sharing & Analysis Centre, the risk to large & medium-sized government & business entities is rated high. The flaws are rated medium risk for small business or government entities, while the risk to home users is considered low.
Web Kit: The Little Engine
With regards to the security updates in iOS 14.7 and iPad 14.7, 4 of them are in Web Kit, the engine that powers Apple’s Safari browser. All 4 could lead to arbitrary code execution. Exploitation would require a user to download maliciously crafted web content.
The vulnerabilities – CVE-2021-30758, CVE-2021-30795, CVE-2027-30797 & CVE-2021-30799 – are due to type confusion, use-after-free & memory-corruption issues in Web Kit.
IOS 14.7 also fixes a known issue – CVE-2021-30800 – where joining a malicious Wi-Fi network may result in a denial of service or arbitrary code execution.
40 Bad Apples – Now Fixed
Below are details of all 40 vulnerabilities in Apple macOS/iOS:
- A shortcut may be able to bypass internet permission requirements due to an input-validation issue in Action Kit (CVE-2021-30763)
- A memory-corruption issue in the AMD kernel may lead to arbitrary code execution with kernel privileges (CVE-2021-30805)
- Opening a maliciously crafted file may lead to unexpected AppKit termination or arbitrary code execution (CVE-2021-30790)
- A local attacker may be able to cause unexpected application termination or arbitrary code execution via Audio (CVE-2021-30781)
- A memory-corruption issue within AVE Video Encoder may lead to arbitrary code execution with kernel privileges (CVE-2021-30748)
- A malicious application may be able to gain root privileges due to a memory corruption issue in Bluetooth (CVE-2021-30672)
- Processing a maliciously crafted audio file may lead to arbitrary code execution due to a memory corruption issue in Core Audio (CVE-2021-30775)
- Playing a malicious audio file may lead to unexpected application termination due to a logic issue with input validation in Core Audio (CVE-2021-30776)
- Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution due to a race condition in Core Graphics (CVE-2021-30786)
- A malicious application may be able to gain root privileges via Core Services, & a sandboxed process may be able to circumvent restrictions (CVE-2021-30772, CVE-2021-30783)
- A malicious application may be able to gain root privileges due to an injection issue in Core Storage (CVE-2021-30777)
- Processing a maliciously crafted font file may lead to arbitrary code execution or process memory disclosure due to out-of-bounds reads in Core Text (CVE-2021-30789, CVE-2021-30733)
- A malicious application may be able to gain root privileges due to a logic issue within Crash Reporter (CVE-2021-30774)
- A malicious application may be able to gain root privileges due to an out-of-bounds write issue in CVMS (CVE-2021-30780)
- A sandboxed process may be able to circumvent sandbox restrictions due to a logic issue in dyld (CVE-2021-30768)
- A malicious application may be able to access Find My data due to a permissions issue (CVE-2021-30804)
- Processing a maliciously crafted font file may lead to arbitrary code execution due to integer & stack overflows in Font Parser (CVE-2021-30760, CVE-2021-30759)
- Processing a maliciously crafted tiff file with Font Parser may lead to a denial-of-service or potentially disclose memory contents (CVE-2021-30788)
- A malicious application may be able to access a user’s recent Contacts due to a permissions issue in Identity Services (CVE-2021-30803)
- A malicious application may be able to bypass code signing checks due to a code signature validation issue in Identity Services (CVE-2021-30773)
- Processing maliciously crafted web content may lead to arbitrary code execution due to a use after free iddue in Image Processing (CVE-2021-30802)
- Processing a maliciously crafted image with may lead to arbitrary code execution due to a buffer overflow in Image IO (CVE-2021-30779, CVE-2021-30785)
- An application may be able to cause unexpected system termination or write kernel memory due to an issue in Intel Graphics Driver (CVE-2021-30787)
- An application may be able to execute arbitrary code with kernel privileges due to an out-of-bounds write issue in Intel Graphics Driver (CVE-2021-30765, CVE-2021-30766)
- An unprivileged application may be able to capture USB devices due to an issue in IOUSB Host Family (CVE-2021-30731)
- A local attacker may be able to execute code on the Apple T2 Security Chip due to multiple logic issues in IO Kit (CVE-2021-30784)
- An application may be able to execute arbitrary code with kernel privileges due to logic issues in state management & double free issues in the kernel (CVE-2021-30703, CVE-2021-30793)
- A malicious attacker with arbitrary read & write capability may be able to bypass Pointer Authentication due to a kernel logic issue (CVE-2021-30769)
- An attacker that has already achieved kernel code execution may be able to bypass kernel memory mitigations due to a kernel logic issue (CVE-2021-30770)
- A malicious application may be able to bypass Privacy preferences due to entitlement issues in Kext Management (CVE-2021-30778)
- A malicious application or sandboxed process may be able to break out of its sandbox or restrictions due to environment sanitisation & access restriction issues in Launch Services (CVE-2021-30677, CVE-2021-30783)
- A remote attacker may be able to cause arbitrary code execution due to an issue in libxml2 (CVE-2021-3518)
- Multiple issues were found in libwebp (CVE-2018-25010, CVE-2018-25011, CVE-2018-25014, CVE-2020-36328, CVE-2020-36329, CVE-2020-36330, CVE-2020-36331)
- Processing a maliciously crafted image may lead to a denial of service due to a logic issue in Model I/O (CVE-2021-30796)
- Processing a maliciously crafted image may lead to arbitrary code execution due to an out-of-bounds write in Model I/O (CVE-2021-30792)
- Processing a maliciously crafted file may disclose user information due to an out-of-bounds read in Model I/O (CVE-2021-30791)
- A malicious application may be able to access restricted files due to an issue in Sandbox (CVE-2021-30782)
- A malicious application may be able to bypass certain Privacy preferences due to a logic issue in TCC (CVE-2021-30798)
- Processing maliciously crafted web content may lead to arbitrary code execution due to type confusion, use after free, & memory corruption issues in Web Kit (CVE-2021-30758, CVE-2021-30795, CVE-2027-30797, CVE-2021-30799)
- Joining a malicious Wi-Fi network may result in a denial of service or arbitrary code execution (CVE-2021-30800)
Update Now
On Wed., MS-ISAC urged Apple users to apply appropriate patches to vulnerable systems “immediately after appropriate testing.”
It’s easy: Go to Settings > General > Software Update & follow the prompts.
In an advisory email, MS-ISAC offered these recommendations:
- Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
- Remind users not to download, accept or execute files from untrusted & unknown sources.
- Remind users not to visit untrusted websites or follow links provided by untrusted or unknown sources.
- Evaluate read, write, & execute permissions on all newly installed software.
- Apply the Principle of Least Privilege to all systems & services.
iOS Upgrades
Apple released the iOS 14.7 update on Mon., but the company kept the crucial, now-released list of security-fix details that typically come with iOS upgrades close to itself. The company held back details in order to protect customers, giving them a chance to update before revealing secrets for attackers to use.
Meanwhile, the update for iPadOS is now out: iPadOS 14.7 was released along with the security details yesterday, on Wed.
iPhone’s Reputation for Security
Oliver Tavakoli, CTO at the AI cybersecurity company Vectra, noted that Apple’s marketing on security & privacy – “which is backed up by actions they have actually taken” – has resulted in adoption of iPhones by activists, politicians & journalists “at a rate which substantially exceeds adoption within the public at large.”
Is the same true for terrorists & criminals – NSO Group’s purported targets? It’s “up for debate,” Tavakoli stated on Thur. Regardless, the proliferation of iPhones by those belonging to groups historically targeted with spyware force us to put a spotlight on the question of whether Apple’s security can bear the weight of protecting those people.
Substantial Effort
“Given that NSO’s customers want the ability to monitor Apple devices, it’s pretty clear that NSO is expending substantial effort on exploits for the iOS platform,” he explained.
Not to be too hard on Apple: Software will always have flaws, particularly with ever more functionality added to a platform. But Tavakoli feels that “zero-click exploits that can be carried out by perfect strangers (rather than someone on your contact list who has previously been compromised)” are “in a class by themselves.”
Apple shouldn’t just patch the iMessage vulnerability “with a sense of urgency,” he said. The company “should also provide mechanisms which reduce the attack surface available to people not on your contact list.”
Top Dollar
Dirk Schrader with New Net Technologies agreed: “No device, & no operating system, is 100% error-free,” he observed. Case in point is the latest Wi-Fi bug for iPhones: That type of bug that can fetch top dollar on exploit markets, most particularly for iOS vulnerabilities.
“Especially for companies alike to NSO, it is vital to keep a list of exploitable bugs, & the grey market for these bugs is huge, with amounts north of $1m paid for exploitable bugs identified in iOS,” Schrader outlined.
Bug-Bounty Programs
Bug-bounty programs can help, but they won’t shut down that grey market & its huge pay-outs, he continued. That makes fixing the iMessage bug crucial: “Fixing these bugs is not easy,” Schrader noted. “NSO will certainly not reveal the details, providing a responsible disclosure about 1 of its key revenue generating assets. In order to reinstate that claim of being the most secure device, it will be crucial for Apple to find & fix the bug as fast as possible & to report the details about.”
Sean Wright, Principal Application Security Engineer at Immersive Labs, called the iMessage flaw “unexpected,” given Apple’s reputation for security.
The company is aware of it being used by Pegasus spyware, although Apple has stated that there’s only limited danger to individuals. However, that doesn’t mean that, as with any vulnerability, it won’t lead to a wider likelihood of risk.
Technology Sector
“The concern is that it shines a light on the application & criminal elements discover how to exploit it at greater scale,” Wright explained. “This puts the onus on Apple to patch as soon as possible.
“Some have also criticised what they perceive to be a lack of transparency from the company on the problem,” Wright continued.
“With devices such as this being central to the lives of so many, those who set the tone for the technology sector are typically held to high standards so people can take action & effectively protect themselves.”