Discover MacOS and iOS Devices Vulnerable to FORCEDENTRY
Apple recently released a new version for MacOS Big Sur and for all of its other types of products like iOS for iPhones and iPads, and even the Apple watch. The patches address two actively exploited 0-day vulnerabilities, CVE-2021-30858 and CVE-2021-30860. Apple notes that "Apple is aware of a report that this issue may have been actively exploited".
CVE-2021-30858 (WebKit) can result in arbitrary code execution when processing maliciously crafted web content. According to Apple, the issue was addressed with improved memory management.
CVE-2021-30860 (CoreGraphics) is an integer overflow vulnerability that could lead to arbitrary code execution when processing a maliciously crafted PDF document. Apple noted that this issue has been fixed using improved input validation. This vulnerability was disclosed by the University of Toronto's Citizen Lab who dubbed it "FORCEDENTRY". The vulnerability has been weaponized by Israeli surveillance vendor NSO Group and allegedly used by the Bahrain government to install spyware on the phones. What makes this vulnerability unique is that it blows past a new software security feature called BlastDoor that Apple added to iOS 14 to prevent zero-click intrusions. In one confirmed case an iMessage with a GIF image that actually was an Adobe PSD file (Photoshop Document files) was received. This PDF file was designed to crash the iMessage component responsible for rendering the images and installed spyware, showcasing how easy it is for attackers to abuse the vulnerability.
To help you with ensuring all your Apple devices are up to date, the report below shows all your Apple devices along with the details of their version. With the added color-coding, you'll be able to easily spot and filter which ones have not been updated to iOS 14.8, iPadOS 14.8, or macOS Big Sur 11.6.
Apple FORCEDENTRY 0-day Query
Select Top 1000000 tblAssets.AssetID, tblAssets.AssetName, tblAssets.Domain, tblAssets.Username, tblAssets.Userdomain, Coalesce(tsysOS.Image, tsysAssetTypes.AssetTypeIcon10) As icon, tblAssets.IPAddress, tsysIPLocations.IPLocation, tblAssetCustom.Manufacturer, tblAssetCustom.Model, Coalesce(tblMacOSInfo.SystemVersion, tblIntuneDevice.OsVersion, tblAirWatchDevice.OsVersion) As [OS Version], Case when tblMacOSInfo.SystemVersion like '%11.6%' Then 'Up to date' when tblIntuneDevice.OsVersion like '%14.8%'Then 'Up to date' when tblAirWatchDevice.OsVersion like '%14.8%'Then 'Up to date' when tblMacOSInfo.SystemVersion is NULL Then '' when tblIntuneDevice.OsVersion is NULL Then '' when tblAirWatchDevice.OsVersion is NULL Then '' else 'Out of date' end as [Up/Out of date], Case When tblErrors.ErrorText Is Not Null Or tblErrors.ErrorText != '' Then 'Scanning Error: ' + tsysasseterrortypes.ErrorMsg Else '' End As ScanningErrors, tblAssets.Lastseen, tblAssets.Lasttried, Case when tblMacOSInfo.SystemVersion like '%11.6%' Then '#d4f4be' when tblIntuneDevice.OsVersion like '%14.8%'Then '#d4f4be' when tblAirWatchDevice.OsVersion like '%14.8%'Then '#d4f4be' else '#ffadad' end as backgrondcolor From tblAssets Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID Left Join tblMacOSInfo On tblAssets.AssetID = tblMacOSInfo.AssetID Left Join tblIntuneDevice On tblAssets.AssetID = tblIntuneDevice.AssetId Left Join tblAirWatchDevice On tblAssets.AssetID = tblAirWatchDevice.AssetId Inner Join tsysAssetTypes On tsysAssetTypes.AssetType = tblAssets.Assettype Inner Join tsysIPLocations On tsysIPLocations.LocationID = tblAssets.LocationID Inner Join tblState On tblState.State = tblAssetCustom.State Left Join tsysOS On tsysOS.OScode = tblAssets.OScode Left Join (Select Distinct Top 1000000 tblErrors.AssetID As ID, Max(tblErrors.Teller) As ErrorID From tblErrors Group By tblErrors.AssetID) As ScanningError On tblAssets.AssetID = ScanningError.ID Left Join tblErrors On ScanningError.ErrorID = tblErrors.Teller Left Join tsysasseterrortypes On tsysasseterrortypes.Errortype = tblErrors.ErrorType Where (tblAssetCustom.Manufacturer Like '%Apple%' Or tblAirWatchDevice.Platform Like '%Apple%') And tblState.Statename = 'Active' Order By tblAssets.Domain, tblAssets.AssetName