Overview

Canadian privacy and cybersecurity activist group The Citizen Lab has announced a zero-day security hole in Apple’s iPhone, iPad and Macintosh operating systems. The attack is widely being described by the nickname FORCEDENTRY. If exploited, this vulnerability could allow the processing of a maliciously crafted PDF that may lead to arbitrary code execution against Apple iOS, macOS and watchOS devices. The exploit works by exploiting an integer overflow vulnerability in Apple’s image rendering library (CoreGraphics). This vulnerability has been assigned to CVE-2021-30860.

What To Do?

Please ensure your Apple iOS, macOS, and watchOS devices are updated with the latest operating system patch.

Checking for updates on a device

• On an iPad or iPhone: Go to Settings > General > Software Update.
  If you are using iOS 14, update to 14.8.

• On a MacBook or desktop: Go to Apple Menu > System Preferences > Software Update.
  If you are using macOS Big Sur 11, update to 11.6.

Note: For users of older iPhones who cannot currently update to the latest version, be cautious about whom you accept PDF files from, and the sites from which you download them.

You can also check the Apple website for a list of new updates.

Checking for updates using Sophos Mobile

Customers using Sophos Mobile can follow the below steps to check and update iOS devices.

Identify affected devices

• Go to the 'Devices' page
• Select 'Extended Filter'
• Expand the 'Operating systems' section and click 'Clear all versions'
• Click 'Show' under the 'iOS and iPadOS' section
• Select 'All' to check all versions, and uncheck “iOS 14.8” and “iOS 15”
• Click 'Filter'
• The Devices page now shows a list of iOS devices running versions earlier than 14.8

Remotely install updates (Supervised devices only)

• On the 'Devices' page click on a device
• The 'Operating system' field will show a blue triangle if an update is available
• Click Actions> Show available updates
• Click 'Install latest available update'
• The device will download and install the update

Message users encouraging them to update

• On the 'Devices' page use the check box to select devices
• Click Actions> Send Message
• Type the message you would like the users to receive
• Users will receive a notification on their device and can view the message by opening the Sophos Mobile Control app

Use Compliance Policies to monitor OS versions

• Go to the 'Compliance Policies 'page
• Select an existing Compliance Policy or click 'Create compliance policy'
• Select the 'iOS and iPadOS' tab
• In the 'Minimum OS version' row use the dropdown to select iOS 14.8
• Click 'Save'
• Go to the 'Device groups' page
• Select a relevant group
• In the 'Compliance policies' section the compliance policy you just created/edited
• Click save
• Return to the 'Compliance Policies' page and click 'Check Now'
• Devices will be checked for their OS version and shown as non-compliant if they have a version prior to iOS 14.8

Related Information

• https://nakedsecurity.sophos.com/2021/09/14/apple-products-vulnerable-to-forcedentry-zero-day-attack-patch-now/
• https://citizenlab.ca/2021/09/forcedentry-nso-group-imessage-zero-click-exploit-captured-in-the-wild/
• https://support.apple.com/en-ca/HT201222