You know what we’re going to say, so we’ll say it right away.
Pasted soon, pasted often.
Canadian privacy and cybersecurity activist group The Citizen Lab has just announced a zero-day security hole in Apple’s Apple, iPad and Macintosh operating systems.
They have given the nickname to the attack FORCEDENTRY, for fairly obvious reasons, although its official designation is CVE-2021-30860.
Citizen Lab has attributed the vulnerability and code that exploits it to the controversial device monitoring company NSO Group, already known by its so-called Pegasus product line similar to spyware.
According to Citizen Lab, this exploit is based on breast-trapped PDF files and was seen in the wild when a Saudi activist handed over his phone for analysis after suspecting that some spyware had been implanted in the device.
The Citizen Lab report coincides with Apple’s own security bulletin HT21807, which accredits Citizen Lab for reporting the hole and simply says:
Processing a maliciously crafted PDF can result in arbitrary code execution. Apple is aware of a report that could have actively exploited this issue. […] An integer overflow with improved input validation was addressed.
The integer problem
Integer overflows it happens when an arithmetic calculation does not fit the available numerical accuracy, which often leads to a kind of subsequent buffer overflow.
Computers typically use a fixed number of bits, usually 16, 32, or 64, to perform arithmetic on integers (integers, such as 1, 42, and 2021), so some combinations of inputs will produce outputs that are not they will adapt to the available space.
This is the same kind of defect as the infamous ones Y2K error, where programs that used two digits to store the year would calculate the following year as 1999 99+1 = 100, using this as a “shortcut” instead of calculating 1999+1 = 2000 in its entirety.
Of course, with only two digits to store the answer, the result would “lose” the first digit indicating “one hundred years” and be rounded back to 00, causing the time and date at midnight to shoot back a century instead of advancing just one second.
In memory management code, such numerical solutions can easily lead to writing chunks of data into blocks of memory in which they simply will not fit.
For example, a program that relies on 16-bit numbers to store the width and height of an image will allow you to specify images up to 65535 pixels wide by 65535 pixels high (0xFFFF in hexadecimal, or a value of 16 bits 111...111 and binary).
At first, this seems like a bigger picture than I would ever need.
But if the programmer forgot to specify a 32-bit number for the required number of pixels (width × height) and, as usual, assigned another 16-bit integer for the result, even an image of, for example, 1000 × 1000 pixels would cause serious problems.
The 1000 × 1000 product should come out at 1,000,000 pixels, or so 0xF4240 in hexadecimal, but this number requires 20 bits to store them completely, or five hexadecimal digits, due to integer overflow. (When you multiply two N-digit numbers together, the result can be up to 2N digits).
If this response becomes a 16-bit integer, the file 0xF at the beginning of the number is discarded, leaving only four hexadecimal digits (16 bits), so the calculated “image size” is set to 0x4240 in hexadecimal, like an old car speedometer that has gone over 99,999 miles and started again from scratch.
This results in an incorrect answer of 16,960 instead of 1,000,000.
If the software blindly allocates only 16,960 bytes of storage space, after incorrectly calculating the “correct” size of a 1000 × 1000 pixel image, a huge, catastrophic buffer overflow will occur as soon as it is copy the image to the lower size buffer.
Two bugs have been fixed
Interestingly, Apple also fixed another bug at the same time, christened CVE-2021-30858.
This second zero-day hole was found in Apple’s web rendering software, WebKit, which is at the heart of the Safari browser built into all of Apple’s operating systems.
In fact, all apps in the App Store (from the most basic games and utilities to the most powerful web browsers) that can represent and display HTML content are required by Apple to use WebKit.
Even browsers like Edge and Firefox, which typically use Chromium and Gecko web rendering software, respectively, need to be used via WebKit, so WebKit security bugs can have widespread consequences on iPhones and iPads. .
Error CVE-2021-30858 is a file vulnerability of use after free, where a program returns to the memory of the operating system that it no longer needs, so that it can be used elsewhere …
… but, unwittingly, he continues to use it anyway, stepping on new data that has been stored there for some other purpose.
Such errors almost always cause application crashes and occasionally offer attackers the ability to produce full remote code execution (RCE) exploits, which seems to be what happened here.
We have no idea if the two bugs in this story are related: the Citizen Labs report only mentions CVE-2021-30860 and the WebKit bug CVE-2021-30858 is simply credited to “An anonymous researcher”.
What to do?
With two seemingly independent bugs at large at the same time, and with few indications so far of what to look for in stuck PDF files or web pages, there’s not much you can do …
… Other than patched soon, patched often.
Current patches [2021-09-14T00:01Z] are documented in Apple’s latest security bulletins as follows:
- HT212804: macOS Big Sur 11.6, fixing both errors.
- HT212805: 2021-005 Catalina, correcting only the PDF error.
- HT212806: watchOS 7.6.2, correcting only the PDF error.
- HT212807: iOS 14.8 i iPad 14.8, fixing both errors.
- HT212808: Safari 14.1.2 per Catherine i Mojave, fixing only the WebKit error.
This means that in macOS Catalina, there are currently two patches you will need, one for the operating system itself and the other for WebKit / Safari.
To check for updates (and get them automatically if they haven’t been automatically downloaded yet), do the following:
- On an iPad or iPhone. Go to Configuration > General > Software update. If you use iOS 14, you will 14.8.
- On a MacBook laptop or desktop Mac. Go to Apple menu > System preferences > Software update. If you are using macOS Big Sur 11, you will 11.6.
As far as we know, the Citizen Lab error affects “All iPhones with iOS versions earlier than 14.8”, which we assume includes iOS 12, still officially compatible with Apple.
But we can’t find any current security bulletin mentioning iOS 12, which means that older phones may be vulnerable but not yet patched.
The HT212803 newsletter, which immediately precedes this batch of zero-day patches, picks up on the recent and perhaps unsurprising news that connecting an iPhone directly to a high-powered motorcycle or mountain bike used in rides all terrain can cause premature vibration damage to the precision engineered components of the phone’s lens. Bulletin HT212809, the next in sequence after this batch, does not yet exist [2021-09-14T00:01Z].
For older iPhone users, all we can suggest right now is for you to do so be more careful than usual about who you accept PDF files from and where you download them from.
In particular, don’t let yourself be influenced just by the fact that the document you’re feeling tempted with apparently refers to your own work or hobbies.
Cybercriminals can easily find out your interests, both in your professional life and in your home, by simply reading the job description or looking at your social media pages.
If in doubt, leave it out!