Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Apple Patches Spyware-Related Zero-Days in OS X, Safari

Apple has released security updates for Mac OS X and Safari to patch zero-day vulnerabilities that were recently used to spy on individuals via iOS devices.

Apple has released security updates for Mac OS X and Safari to patch zero-day vulnerabilities that were recently used to spy on individuals via iOS devices.

Called Trident, the flaws, namely CVE-2016-4655, CVE-2016-4656, and CVE-2016-4657, were discovered by Citizen Lab and Lookout researchers after they were being actively exploited by a piece of surveillance software called Pegasus. Developed and sold by an organization called NSO Group, the spyware was said to be employed by government agencies for surveillance purposes.

As it turns out, the three vulnerabilities weren’t affecting only iOS. Apple has now released a patch to resolve the CVE-2016-4655 and CVE-2016-4656 security flaws in OS X Yosemite v10.10.5 and OS X El Capitan v10.11.6, and another to fix CVE-2016-4657 in Safari (for OS X Mavericks v10.9.5 and OS X Yosemite v10.10.5).

The first two bugs affect the Kernel and could result in kernel memory being disclosed and in applications executing arbitrary code with kernel privileges. The third issue could lead to arbitrary code execution when the user visits a maliciously crafted website. Just as on iOS, improved memory handling and improved input sanitization addressed these bugs.

The fact that exploit acquisition companies such as Zerodium are willing to pay millions for zero-days, and that they even paid $1 million for one such vulnerability, confirms the great value of these security holes. Last month, Exodus Intelligence revealed that it would pay up to $500,000 for iOS 0-days.

When disclosed last week, the Trident vulnerabilities were revealed to affect the iOS Kernel (CVE-2016-4655, CVE-2016-4656) and the WebKit component (CVE-2016-4657) of the platform. The Pegasus spyware leveraged these vulnerabilities to compromise iOS devices and to transform them into spying devices by gaining access to files, messages, microphone and video camera.

The Pegasus spyware was also designed to collect and exfiltrate a great deal of data from the compromised devices, including the user’s calls and messages (regardless of whether from the default app or from a third-party program), calendar data, contact lists, and passwords, including Wi-Fi passwords.

 The report on the Pegasus spyware brought Israel’s secretive surveillance industry into spotlight only a few days later. One of the issues was that the spyware was sold to oppressive regimes (which used it in violation of human rights), although exports of sensitive security products were supposed to be approved by Israel’s defense ministry.

Related: Zero-Day Exploits Leaked in Hacking Team Breach

Related: Israel’s Cyber Sector Blooms in the Desert

 

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

South Dakota Gov. Kristi Noem says her personal cell phone was hacked and linked it to the release of documents by the January 6...

Cybercrime

A digital ad fraud scheme dubbed "VastFlux" spoofed over 1,700 apps and peaked at 12 billion ad requests per day before being shut down.

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Application Security

Software maker Adobe on Tuesday released security patches for 29 documented vulnerabilities across multiple enterprise-facing products and warned that hackers could exploit these bugs...