Apple Patches OS X a Week After Fixing iOS Zero-Days
Apparently Apple's desktop operating system had the same flaws that were first exposed after a human rights activist's iPhone was attacked.On Aug. 25, Apple rushed out a critical patch for its iOS mobile operating system, fixing three zero-day exploits. As it turns out, the same flaws impact Mac OS X, which is now getting patched a week after its mobile sibling. The OS X patch is being made available for both OS X Yosemite v10.10.5 and OS X El Capitan v10.11.6. Inside of OS X are two kernel issues (CVE-2016-4655 and CVE-2016-4656) that are the same as those patched in the iOS 9.3.5 update last week. Both are kernel memory corruption issues. In addition, Apple is updating its Safari web browser to version 9.1.3 to fix a security flaw identified as CVE-2016-4657, which was also patched in the iOS 9.3.5 update. The CVE-2016-4657 vulnerability is a memory corruption issue in the WebKit browser rendering engine. According to Apple's advisory, the impact of the vulnerability is that" visiting a maliciously crafted website may lead to arbitrary code execution." The three vulnerabilities first patched in iOS and now in OS X were being used by security intelligence firm NSO Group in a spyware tool it sells known as Pegasus. The chained combination of the three zero-days is an exploit that research group Citizen Lab is calling Trident.
Citizen Lab, a research group within the Munk School of Global Affairs at the University of Toronto, was contacted by human rights activist Ahmed Mansoor after he received suspicious text messages. Citizen Lab along with security firm Lookout investigated the text messages and determined that the messages were in fact malicious and were attempting to use previously unknown exploits.