Apple has released a security advisory to fix two zero-day vulnerabilities being abused in active attacks. These flaws exist in iOS/macOS and are tracked as CVE-2021-30860 and CVE-2021-30858. Both of these are zero-day vulnerabilities and have already been exploited by threat actors.
About the flaws
In a recent advisory, Apple said that it has fixed two recent zero-day vulnerabilities that were used to spread Pegasus (by NSO Group) on Bahraini activists’ iPhones. These flaws were abused by a new exploit known as FORCEDENTRY (CVE-2021-30860).
The first flaw, tracked as CVE-2021-30860, is an integer overflow issue discovered by Citizen Lab. It was addressed by improving the input validation.
The second flaw (CVE-2021-30858) is a use-after-free bug that was disclosed by an anonymous researcher. The flaw could be abused to take control of the infected device.
Researchers found out that the FORCEDENTRY exploit can be used to bypass the BlastDoor sandbox launched eight months ago in iOS.
The attack had targeted the iPhones of nine activists identified as part of the Bahrain Center for Human Rights, Al Wefaq, and Waad.
The attack was carried out by a threat actor named LULU and is suspected to be linked to the government of Bahrain.
Spyware, such as Pegasus, exploiting zero-days can have disastrous outcomes as it not only impacts victims' privacy but also concerns national security. While organizations always patch the reported vulnerabilities, experts suggest that regulating the use of such spyware could prevent some of these cyber threats.