Apple has released security updates to address two newly revealed vulnerabilities (CVE-2021-30858 and CVE-2021-30860) in multiple products. An attacker could exploit these vulnerabilities to take control of an affected device. InnerCircle is aware of public reporting that these vulnerabilities may have been exploited in the wild.
The malicious software takes control of an Apple device by first sending a message through iMessage, the company’s default messaging app, and then exploiting the vulnerability through a flaw in how Apple processes images. It is what’s known in the cybersecurity industry as a “zero-click” exploit — a particularly dangerous and pernicious flaw that doesn’t require a victim clicking a link or downloading a file to take over.
More details regarding the specific vulnerabilities can be found here:
InnerCircle Client Guidance
The updates for Apple devices address a serious potential vulnerability. We recommend users immediately:
- Urgently apply relevant updates to all Apple devices.
Enable automatic software updates on your device. See below for how to enable automatic updates.
Here's how to turn on automatic updates:
- Go to Settings > General > Software Update.
- Tap Automatic Updates, then turn on Download iOS Updates.
- Turn on Install iOS Updates. Your device will automatically update to the latest version of iOS or iPadOS. Some updates might need to be installed manually.
We remind you of the importance of continued diligence when working on your mobile device.
- Never interact with messages, images and links from senders you do not regularly communicate with.
- Screen all requests for action to ensure appropriate context.
- Be mindful of warning messages that your device presents as you use it.
We ask that you broadly communicate this news and guidance to the individual members of your organization.
As always, if any IT issues arise you may contact our First Response Group via email at email@example.com.
How We Can Help
Unfortunately, the discovery and exploitation of operating system and software vulnerabilities has become routine. As much as we can do as IT professionals to strengthen defenses, weaknesses like this illustrate how vulnerable even well defended systems can become. Whether the vector is a new vulnerability, a supply chain attack, a credential breach, or traditional malware, our goal is to assist our clients with reducing the impact of a security event should it occur. Aside from technology protections, this includes insuring your organization has a clearly defined incident response plan and has identified acceptable recovery time objectives and implemented appropriate systems to support those objectives.
If you have any questions about this incident or you would like to review your firm’s security posture more generally, please do not hesitate to contact us.