Home / About / Threat Intelligence / Apple Critical Updates

Overview

Apple have released patches to address a pair of exploits (CVE-2021-30858 and CVE-2021-30860) in multiple products.

One of these is the exploit FORCEDENTRY which we have written about previously. Processing a maliciously crafted PDF may lead to arbitrary code execution.

The other is a use after free issue in WebKit. Processing maliciously crafted web content may lead to arbitrary code execution.

Impact

A remote attacker may be able to trigger system-level code execution on a device.

Vulnerability Detection

To see the current version on iOS go to
Settings > General > About

On macOS the version can be seen in About This Mac

Affected Products

All iPhones with iOS versions prior to 14.8, All Mac computers with operating system versions prior to OSX Big Sur 11.6, Security Update 2021-005 Catalina, and all Apple Watches prior to watchOS 7.6.2.

Containment, Mitigations & Remediations

Devices should be updated as soon as possible.

To update iOS go to
Settings > General > Software Update

This should either say “iOS is up to date” or give you the option to update.

Indicators of Compromise

The Pegasus group’s use of FORCEDENTRY can be detected by forensically investigating the affected iPhone. An artifact exists in the DataUsage.sqlite file which can be detected with

SELECT “CASCADEFAIL” FROM ZLIVEUSAGE WHERE ZLIVEUSAGE.ZHASPROCESS NOT IN (SELECT Z_PK FROM ZPROCESS);

Mitre Methodologies

T1456 – Drive-by Compromise
T1477 – Exploit via Radio Interfaces
S0289 – Pegasus for iOS

Further Information

About the security content of iOS 14.8 and iPadOS 14.8