On Aug. 25, Apple rushed out a critical patch for its iOS mobile operating system, fixing three zero-day exploits. As it turns out, the same flaws impact Mac OS X, which is now getting patched a week after its mobile sibling.
The OS X patch is being made available for both OS X Yosemite v10.10.5 and OS X El Capitan v10.11.6. Inside of OS X are two kernel issues (CVE-2016-4655 and CVE-2016-4656) that are the same as those patched in the iOS 9.3.5 update last week. Both are kernel memory corruption issues.
In addition, Apple is updating its Safari web browser to version 9.1.3 to fix a security flaw identified as CVE-2016-4657, which was also patched in the iOS 9.3.5 update. The CVE-2016-4657 vulnerability is a memory corruption issue in the WebKit browser rendering engine. According to Apple’s advisory, the impact of the vulnerability is that” visiting a maliciously crafted website may lead to arbitrary code execution.”
The three vulnerabilities first patched in iOS and now in OS X were being used by security intelligence firm NSO Group in a spyware tool it sells known as Pegasus. The chained combination of the three zero-days is an exploit that research group Citizen Lab is calling Trident.
Citizen Lab, a research group within the Munk School of Global Affairs at the University of Toronto, was contacted by human rights activist Ahmed Mansoor after he received suspicious text messages. Citizen Lab along with security firm Lookout investigated the text messages and determined that the messages were in fact malicious and were attempting to use previously unknown exploits.
A Lookout spokesperson told eWEEK that Lookout and Citizen Lab have multiple links: members of Lookout’s team are alumni of the University of Toronto and some of Lookout’s researchers have worked with Citizen Lab in the past. Lookout is a supporter of Citizen Lab’s research and has participated in Citizen Lab research projects as well.
“For this research, Citizen Lab made the initial connection between the texts being sent to Ahmed Mansoor’s iPhone and the NSO Group as well as gathered the first stage of the exploit,” the spokesperson stated. “Citizen Lab then worked with Lookout, who decoded the first stage and obtained additional samples and variations that allowed us to detail the full exploit chain that would have jailbroken Mansoor’s iPhone and installed sophisticated malware.”
In terms of how Lookout was able to initially decipher and reverse-engineer the Trident exploit, the spokesperson said researchers used a combination of standard reversing tools such as IDA Pro, Frida, debuggers and Lookout’s own self-built tools.
Apple patched iOS less than two weeks after Citizen Lab and Lookout first disclosed the Trident vulnerabilities and has now closed the vulnerability loop by patching OS X as well.
“The Trident vulnerabilities used by NSO could have been weaponized against users of non iOS devices, including OS X,” Citizen Lab stated. “We encourage all Apple users to install the update as soon as possible.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.