Citizen Lab discovers iMessage vulnerability exploited to infect Saudi activist's phone with Pegasus; Apple releases patch
"Apple patches an NSO zero-day flaw affecting all devices", 13 September 2021
Apple has released security updates for a newly discovered zero-day vulnerability that affects every iPhone, iPad, Mac and Apple Watch. Citizen Lab, which discovered the vulnerability and was credited with the find, urges users to immediately update their devices.
... Last month, Citizen Lab said the zero day flaw — named as such since it gives companies zero days to roll out a fix — took advantage of a flaw in Apple’s iMessage, which was exploited to push the Pegasus spyware, developed by Israeli firm NSO Group, to the activist’s phone.
In its latest findings, Citizen Lab said it found evidence of the ForcedEntry exploit on the iPhone of a Saudi activist, running at the time the latest version of iOS. The researchers said the exploit takes advantage of a weakness in how Apple devices render images on the display.
... Citizen Lab said it reported its findings to Apple on September 7. Apple pushed out the updates for the vulnerability, known officially as CVE-2021-30860. Citizen Lab said it attributes the ForcedEntry exploit to NSO Group with high confidence, citing evidence it has seen that it has not previously published.
... When reached, Apple declined to comment. NSO Group declined to answer our specific questions.