On 13 September 2021, researchers from Citizen Lab  disclosed FORCEDENTRY: a zero-click vulnerability impacting pretty much all Apple operating systems based on a flaw in the CoreGraphics rendering application. As a zero-click (i.e., requiring no user interaction) vulnerability, FORCEDENTRY represents a deeply concerning technical problem. Yet based on Citizen Lab’s analysis, the only, known, discovered use for FORCEDENTRY aligns with actions linked to mercenary vendor NSO Group, apparently to enable follow-on deployment of the company’s Pegasus spyware since at least February 2021. Given all available information at the time of disclosure, the vulnerability represents a concerning issue, but one only used in likely limited engagements involving clients of NSO.

Yet this perspective did not translate into popular coverage and commentary on the matter. This is not an issue confined to FORCEDENTRY, however. Popular conceptions and subsequent media discussion of software vulnerabilities are often hyperbolic in nature. Egged on by the marketing departments of cybersecurity vendors who are happy to assign catchy names complete with professionally designed logos for their disclosures, vulnerabilities appear as a cascading series of critical events requiring immediate action. As a result, nearly all software vulnerabilities become lumped together into an undifferentiated mass of “critical” items – and if everything is critical, then how can one possibly prioritize efforts such as patching?

Vulnerabilities must be understood as almost meaningless on their own for purposes of security. While apparently concerning, a vulnerability is meaningless without a combination of other factors:

  1. An available mechanism for exploiting the vulnerability.
  2. An opportunity for delivering that exploit to vulnerable systems.
  3. An adversary’s intention to deliver that exploit to victims.

Absent any of the above, a vulnerability is a mere abstraction. While the underlying research identifying such an item may be technically astute and impressive, from a security practitioner’s point of view a vulnerability is only meaningful to the extent it can be leveraged by an adversary or utilized for malicious purposes.

Furthermore, the nature of how the three criteria above are satisfied also has significant bearing on matters. In the case of FORCEDENTRY, all three criteria were satisfied – but it is worth noting that the third appears rather circumscribed to only encompass NSO operations. While this is very concerning if you are a political  activist in Saudi Arabia, a journalist in Turkey, or similar type of person, such limited scope (or focused targeting and application) means that the vulnerability represents only a possible, future concern for the overwhelming majority of potential victims.

This observation does not mean “don’t worry about patching” – at this point, if you own an Apple device and you haven’t patched already, I strongly advise you to do so. The reason is that on disclosure, other researchers will begin reversing the patch and analyzing the vulnerability, transforming this from “narrowly used, private capability” to “widely available, public exploit” in the near future. But for organizations running a fleet of MacOS devices, forcing an immediate patch cycle across a sizable user base may cause more trouble than any benefit until capabilities replicating FORCEDENTRY become more widely available.

The state of affairs surrounding FORCEDENTRY stands in contrast to the series of vulnerabilities identified by researcher OrangeTsai in Microsoft’s Exchange product. Notably, the ProxyLogon chain of vulnerabilities resulted in an out-of-band patch from Microsoft in March 2021. These vulnerabilities were under active exploitation for months prior to patch release by a group identified by Microsoft as Hafnium, but shortly before patch release (and picking up significantly afterwards) multiple additional entities appear to have engaged in opportunistic scanning and exploitation of this vulnerability. 

Normally, patching a  high-availability, high-visibility service such as Exchange requires time to test the patch and takes place after hours to avoid business disruption. In this case however, the combination of our vulnerability criteria means more immediate action is required to avoid exploitation of a critical, external facing business system. Particularly, the combination of available mechanism (possessing a working exploit), widespread opportunity (connectivity to an external facing service), and realized intention (initially espionage but expanding to include opportunistic exploitation from multiple groups) translate ProxyLogon into an immediate threat impacting many entities. Patching Exchange can be very disruptive and risky (nobody likes their email going down), but in this case was necessary.

All things equal and in a mythical universe where resources are unlimited, organizations should work to ensure vulnerabilities are patched as soon as possible. But we live and work in a resource-constrained environment. Thus contextualizing the overall risk posed by a vulnerability is necessary to determine just how significant a given item is, fancy naming or major conference presentations aside. With that in mind, network defenders as well as those covering this space would do well to really understand how vulnerabilities play into wider cyber operations, and what additional criteria are necessary to make a vulnerability an item of immediate concern.


1 Comment

Critical Commentary Considering the Zero Day – Stranded on Pylos · 09/25/2021 at 17:30

[…] true zero day situations such as the recently discovered FORCEDENTRY item in Apple software, actual use of this item was quite narrowly focused prior to public disclosure. That means that this exploit, and similar items, are certainly threats […]

Comments are closed.