Pierluigi Paganini September 02, 2016

Apple issued security fixes for Mac OS X and Safari to patch zero-day flaws exploited by Pegasus spyware to spy on mobile users.

A few days ago, we reported a detailed analysis of the Trident exploit that triggers three vulnerabilities in order to remotely hack Apple mobile devices through the installation of the Pegasus spyware.

The joint investigation conducted by experts from CitizenLab organization and Lookout security firm demonstrated that nation-state actors exploited the three vulnerabilities to spy on activists’ Apple mobile devices.

Experts from Lookout identified the targeted attack as Pegasus as explained in a detailed blog post.

“Pegasus is the most sophisticated attack we’ve seen on any endpoint because it takes advantage of how integrated mobile devices are in our lives and the combination of features only available on mobile — always connected (WiFi, 3G/4G), voice communications, camera, email, messaging, GPS, passwords, and contact lists. It is modular to allow for customization and uses strong encryption to evade detection.” states the blog post published by Lookout., the three zero-day flaws, dubbed ”

The three zero-day vulnerabilities, dubbed “Trident,” exploited in the attack are:

• CVE-2016-4655: Information leak in Kernel – A kernel base mapping vulnerability that leaks information to the attacker allowing him to calculate the kernel’s location in memory.
• CVE-2016-4656: Kernel Memory corruption leads to Jailbreak – 32 and 64 bit iOS kernel-level vulnerabilities that allow the attacker to silently jailbreak the device and install surveillance software.
• CVE-2016-4657: Memory Corruption in Webkit – A vulnerability in the Safari WebKit that allows the attacker to compromise the device when the user clicks on a link.

Malware experts linked the attacks leveraging on the Pegasus malware to the activity of the Israeli surveillance NSO Group that has developed a malicious code that has been exploiting three zero-day security vulnerabilities in order to spy on dissidents and journalists.

The vulnerabilities, including a hole in IOMobileFrameBuffer (found and fixed in Safari and coded CVE-2016-4564) affect also desktop Safari and OS X, too.

Do not forget that iOS and OS X, share a big portion of code, so it is normal the presence of the flaws in the MAC desktop PCs.

Apple, that released the iOS 9.3.5 update for its mobile devices (iPhones and iPads) to address the flaws, now has issued security updates also for the Safari Browser and OS X.

The Safari patch fixes the Trident vulnerabilities, Apple also issued the updates for the El Capitan and Yosemite.

Don’t waste time, patch as soon as possible your Apple device.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Trident, iOS zero-days, Pegasus spyware)