The Apple Zero-Day Flaws: What Exploit Vulnerabilities You Really Need to Know

Apple has issued emergency security updates to address two critical vulnerabilities impacting its entire fleet of devices–news that rattled both the tech company and cybersecurity industry given the severity of the flaws. With more than 1.65 billion Apple products worldwide, if left unpatched, these zero-day vulnerabilities could wreak havoc on employees across the world, many of whom work remotely from unmanaged devices. 

One of the critical flaws was discovered by security researchers at Citizen Lab after examining the mobile phone of a Saudi activist. The team found the Pegasus spyware on the device used by nation-state clients of the NSO Group, an Israeli spyware company. Given “multiple distinctive elements” in the spyware, researchers at Citizen Lab are confident in their attribution of the exploit, dubbed “FORCEDENTRY.”

While most media outlets have glommed onto the news tied to the Pegasus spyware, it’s important to focus on the vulnerabilities themselves–that’s right, the second flaw also failed to get as much exposure. 

The NSO Group is known for its international spying scandals; however, their exploits carry high price tags that governments typically purchase for surveillance purposes. This means targets range from specific individuals to groups of political dissidents, journalists, and human rights activists. Given that those cases make for better headlines, it’s essential not to lose sight of the vulnerabilities themselves, which nearly any threat actor could leverage to compromise any Apple device. 

To quickly inform security teams, Krishnan Subramanian, a security researcher at Menlo Labs, answered four essential questions that should be top of mind for security teams to learn more about these flaws.

1. What happened? 

Apple issued an emergency security update that addressed two zero-day flaws. 

The first vulnerability (CVE-2021-30860) was discovered by the team at Citizen Lab and is linked to the Pegasus spyware developed by the NSO Group. Once a victim is compromised, the spyware can control the infected device’s camera, microphone, and siphon messages such as recordings, emails, texts, and calls. 

The flaw impacts CoreGraphics, a software API that spans the system component and affects all Apple devices. Although Citizen Lab points to iMessage as the initial infection vector, Apple’s security bulletin highlights a broader attack surface. The flaw can be exploited via malicious PDFs–a popular tactic among cybercriminals that’s proven quite effective. This must not be overlooked.

An anonymous researcher uncovered the second remote code execution flaw (CVE-2021-30858). It affects the WebKit engine, the default engine that runs inside the Safari browser, the default web browser for all Apple devices. This, once again, puts all Apple users at risk.

2. Why should organizations and security teams be concerned? 

For organizations with employees that conduct work on Apple devices, they must patch them. Since Safari is the default browser to open links or documents delivered to the devices through email or other applications in use, threat actors could exploit these flaws to provide malicious PDF documents that can compromise users or drive them to malicious sites hosting spyware similar to Pegasus.

3. Given today’s hybrid workforce, what additional challenges does this present? 

A majority of today’s workforce is hybrid, which presents tremendous headaches from a patch management standpoint. It is difficult to track which users have or haven’t updated their devices when the workforce is distributed and working off unmanaged devices. The less control and visibility you have as a security team, the more challenging it is to protect organizations from cyber threats presented by zero-day flaws. 

4. What can security teams do to protect the workforce from this threat right now? 

Awareness is key. It’s important to quickly communicate these flaws to the team, as security awareness is the first line of defense. As we always say, knowledge is power when it comes to cybersecurity. 

To avoid vulnerabilities like this in the future, security teams should also consider isolation technology such as document isolation and remote browser isolation. Isolation technology essentially creates a protective layer around users working on their devices, which typically involves a web browser and email to receive important work documents. This protects users from zero-day exploits. 

As employees go about their workday on their devices, isolation technology blocks known and existing threats and unknown and future threats. It takes the traditional detect-and-remediate approach to security and flips it on its head, preventing attacks from reaching users in the first place.
 

Discover how isolation-powered security technology can prevent your organization from being impacted by phishing, malware, ransomware, and zero-day threats. Want a deep dive? Download our Definitive Guide.