Apple has released security updates for Mac OS X and Safari to patch zero-day vulnerabilities that were recently used to spy on individuals via iOS devices.
Called Trident, the flaws, namely CVE-2016-4655, CVE-2016-4656, and CVE-2016-4657, were discovered by Citizen Lab and Lookout researchers after they were being actively exploited by a piece of surveillance software called Pegasus. Developed and sold by an organization called NSO Group, the spyware was said to be employed by government agencies for surveillance purposes.
As it turns out, the three vulnerabilities weren’t affecting only iOS. Apple has now released a patch to resolve the CVE-2016-4655 and CVE-2016-4656 security flaws in OS X Yosemite v10.10.5 and OS X El Capitan v10.11.6, and another to fix CVE-2016-4657 in Safari (for OS X Mavericks v10.9.5 and OS X Yosemite v10.10.5).
The first two bugs affect the Kernel and could result in kernel memory being disclosed and in applications executing arbitrary code with kernel privileges. The third issue could lead to arbitrary code execution when the user visits a maliciously crafted website. Just as on iOS, improved memory handling and improved input sanitization addressed these bugs.
The fact that exploit acquisition companies such as Zerodium are willing to pay millions for zero-days, and that they even paid $1 million for one such vulnerability, confirms the great value of these security holes. Last month, Exodus Intelligence revealed that it would pay up to $500,000 for iOS 0-days.
When disclosed last week, the Trident vulnerabilities were revealed to affect the iOS Kernel (CVE-2016-4655, CVE-2016-4656) and the WebKit component (CVE-2016-4657) of the platform. The Pegasus spyware leveraged these vulnerabilities to compromise iOS devices and to transform them into spying devices by gaining access to files, messages, microphone and video camera.
The Pegasus spyware was also designed to collect and exfiltrate a great deal of data from the compromised devices, including the user’s calls and messages (regardless of whether from the default app or from a third-party program), calendar data, contact lists, and passwords, including Wi-Fi passwords.
The report on the Pegasus spyware brought Israel’s secretive surveillance industry into spotlight only a few days later. One of the issues was that the spyware was sold to oppressive regimes (which used it in violation of human rights), although exports of sensitive security products were supposed to be approved by Israel’s defense ministry.