“Security researchers say a little-known Israeli startup exploited previously unknown bugs in Apple Inc.’s smartphone software to help foreign governments spy on their citizens,” Robert McMillan reports for The Wall Street Journal. “The researchers say the surveillance software was the work of NSO Group Technologies Ltd., which sells primarily to government agencies. The researchers, at Citizen Lab, a group that investigates surveillance technology, and at mobile-security firm Lookout Inc., say they discovered the software in a link sent earlier this month to the phone of Ahmed Mansoor, a human-rights activist in the United Arab Emirates.”

“Their report sheds new light on the capabilities of private security companies to produce sophisticated software for state-sponsored spying,” McMillan reports. “It also suggests that the iOS operating system behind Apple’s iPhones isn’t as impregnable as it appeared earlier this year, when the Federal Bureau of Investigation struggled for weeks and ultimately paid $1 million to unlock a phone tied to the San Bernardino terror attack.”

“NSO Group’s software takes advantage of three previously unknown flaws in iOS to install itself on an iPhone, where it then transforms the phone into a surveillance device, tracking its movements, logging messages and downloading personal data,” McMillan reports. “In a statement Thursday, Apple said it had been ‘made aware of this vulnerability and immediately fixed it.’ The company advised iPhone users to download the new version of iOS, dubbed 9.3.5.”

Read more in the full article here.

MacDailyNews Take: Update to iOS 9.3.5 ASAP.

About the security content of iOS 9.3.5

For our customers’ protection, Apple doesn’t disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the Apple security updates page.

For more information about security, see the Apple Product Security page. You can encrypt communications with Apple using the Apple Product Security PGP Key.
Apple security documents reference vulnerabilities by CVE-ID when possible.

iOS 9.3.5
Released August 25, 2016

Kernel
Available for: iPhone 4s and later, iPad 2 and later, iPod touch (5th generation) and later
Impact: An application may be able to disclose kernel memory
Description: A validation issue was addressed through improved input sanitization.
CVE-2016-4655: Citizen Lab and Lookout

Kernel
Available for: iPhone 4s and later, iPad 2 and later, iPod touch (5th generation) and later
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption issue was addressed through improved memory handling.
CVE-2016-4656: Citizen Lab and Lookout

WebKit
Available for: iPhone 4s and later, iPad 2 and later, iPod touch (5th generation) and later
Impact: Visiting a maliciously crafted website may lead to arbitrary code execution
Description: A memory corruption issue was addressed through improved memory handling.
CVE-2016-4657: Citizen Lab and Lookout

SEE ALSO:
Apple boosts iPhone security after Mideast spyware discovery; releases iOS 9.3.5 – August 25, 2016