Connect with us

Hi, what are you looking for?


Mobile & Wireless

Apple Patches Spyware-Related Zero-Days in OS X, Safari

Apple has released security updates for Mac OS X and Safari to patch zero-day vulnerabilities that were recently used to spy on individuals via iOS devices.

Apple has released security updates for Mac OS X and Safari to patch zero-day vulnerabilities that were recently used to spy on individuals via iOS devices.

Called Trident, the flaws, namely CVE-2016-4655, CVE-2016-4656, and CVE-2016-4657, were discovered by Citizen Lab and Lookout researchers after they were being actively exploited by a piece of surveillance software called Pegasus. Developed and sold by an organization called NSO Group, the spyware was said to be employed by government agencies for surveillance purposes.

As it turns out, the three vulnerabilities weren’t affecting only iOS. Apple has now released a patch to resolve the CVE-2016-4655 and CVE-2016-4656 security flaws in OS X Yosemite v10.10.5 and OS X El Capitan v10.11.6, and another to fix CVE-2016-4657 in Safari (for OS X Mavericks v10.9.5 and OS X Yosemite v10.10.5).

The first two bugs affect the Kernel and could result in kernel memory being disclosed and in applications executing arbitrary code with kernel privileges. The third issue could lead to arbitrary code execution when the user visits a maliciously crafted website. Just as on iOS, improved memory handling and improved input sanitization addressed these bugs.

The fact that exploit acquisition companies such as Zerodium are willing to pay millions for zero-days, and that they even paid $1 million for one such vulnerability, confirms the great value of these security holes. Last month, Exodus Intelligence revealed that it would pay up to $500,000 for iOS 0-days.

When disclosed last week, the Trident vulnerabilities were revealed to affect the iOS Kernel (CVE-2016-4655, CVE-2016-4656) and the WebKit component (CVE-2016-4657) of the platform. The Pegasus spyware leveraged these vulnerabilities to compromise iOS devices and to transform them into spying devices by gaining access to files, messages, microphone and video camera.

The Pegasus spyware was also designed to collect and exfiltrate a great deal of data from the compromised devices, including the user’s calls and messages (regardless of whether from the default app or from a third-party program), calendar data, contact lists, and passwords, including Wi-Fi passwords.

Advertisement. Scroll to continue reading.

 The report on the Pegasus spyware brought Israel’s secretive surveillance industry into spotlight only a few days later. One of the issues was that the spyware was sold to oppressive regimes (which used it in violation of human rights), although exports of sensitive security products were supposed to be approved by Israel’s defense ministry.

Related: Zero-Day Exploits Leaked in Hacking Team Breach

Related: Israel’s Cyber Sector Blooms in the Desert


Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Critical security flaws expose Samsung’s Exynos modems to “Internet-to-baseband remote code execution” attacks with no user interaction. Project Zero says an attacker only needs...

Mobile & Wireless

Samsung smartphone users warned about CVE-2023-21492, an ASLR bypass vulnerability exploited in the wild, likely by a spyware vendor.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

The February 2023 security updates for Android patch 40 vulnerabilities, including multiple high-severity escalation of privilege bugs.

Mobile & Wireless

Asus patched nine WiFi router security defects, including a highly critical 2018 vulnerability that exposes users to code execution attacks.