“Apple says it is issuing a security update after powerful espionage software was found targeting an activist’s iPhone in the Middle East,” The Associated Press reports.
“Computer forensics experts tell The Associated Press the spyware takes advantage of three previously undisclosed weaknesses in Apple’s mobile operating system to take complete control of iPhone handsets,” AP reports. “Apple said in a statement that it fixed the vulnerability immediately after learning about it.”
Read more in the full article here.
Citizen Lab reports:
Ahmed Mansoor is an internationally recognized human rights defender, based in the United Arab Emirates (UAE), and recipient of the Martin Ennals Award (sometimes referred to as a “Nobel Prize for human rights”). On August 10 and 11, 2016, Mansoor received SMS text messages on his iPhone promising “new secrets” about detainees tortured in UAE jails if he clicked on an included link. Instead of clicking, Mansoor sent the messages to Citizen Lab researchers. We recognized the links as belonging to an exploit infrastructure connected to NSO Group, an Israel-based “cyber war” company that sells Pegasus, a government-exclusive “lawful intercept” spyware product. NSO Group is reportedly owned by an American venture capital firm, Francisco Partners Management.
The ensuing investigation, a collaboration between researchers from Citizen Lab and from Lookout Security, determined that the links led to a chain of zero-day exploits (“zero-days”) that would have remotely jailbroken Mansoor’s stock iPhone 6 and installed sophisticated spyware. We are calling this exploit chain Trident. Once infected, Mansoor’s phone would have become a digital spy in his pocket, capable of employing his iPhone’s camera and microphone to snoop on activity in the vicinity of the device, recording his WhatsApp and Viber calls, logging messages sent in mobile chat apps, and tracking his movements.
We are not aware of any previous instance of an iPhone remote jailbreak used in the wild as part of a targeted attack campaign, making this a rare find.
Much more in the full article here.
MacDailyNews Note: Apple has released iOS 9.3.5. Update ASAP.
About the security content of iOS 9.3.5
For our customers’ protection, Apple doesn’t disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the Apple security updates page.
For more information about security, see the Apple Product Security page. You can encrypt communications with Apple using the Apple Product Security PGP Key.
Apple security documents reference vulnerabilities by CVE-ID when possible.iOS 9.3.5
Released August 25, 2016Kernel
Available for: iPhone 4s and later, iPad 2 and later, iPod touch (5th generation) and later
Impact: An application may be able to disclose kernel memory
Description: A validation issue was addressed through improved input sanitization.
CVE-2016-4655: Citizen Lab and LookoutKernel
Available for: iPhone 4s and later, iPad 2 and later, iPod touch (5th generation) and later
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption issue was addressed through improved memory handling.
CVE-2016-4656: Citizen Lab and LookoutWebKit
Available for: iPhone 4s and later, iPad 2 and later, iPod touch (5th generation) and later
Impact: Visiting a maliciously crafted website may lead to arbitrary code execution
Description: A memory corruption issue was addressed through improved memory handling.
CVE-2016-4657: Citizen Lab and Lookout
just updated.
But wait a minute, wasn’t it Apple and some other “security” firm who was offering a 500,000$ reward for any security flaws in iOS just a few days ago?
lmao
Apple security whether in iOS or MacOS is simply an oxymoron!
At best Apple’s attempt at marketing deception!
Sorry Apple, you fail again!
🙂
How are your carrier pigeons doing? They must be exhausted flying all the way to and from South Korea. After all you wouldn’t want to entrust your secret communiques to an Android phone, and you are not allowed to use an iPhone …
Samdung must be really hurting when they find it necessary to employ trolls on MDN …
“Apple…fixed the vulnerability immediately after learning about it.”
This is why I love Apple!
That’s also why people loved Blackberry….
Wonder if they fixed the other issue that was being whined about earlier with VoiceOver and voice dictation while they were at it.
Adobe and MS could sure learn from Apple. Can’t get better than immediately.
Nah. They usually “fix” their problems in the next version
Apple usually fixes some small number of problems, not all, while simultaneously introducing a rich set of new problems in their new releases.
Very crafty.
That was the case with one bug I encountered with Apple Server. Running an Xserve and it’s attached disk array, I found I couldn’t mount terabyte size partitions using NFS. Apple engineers confirmed the problem and, sure enough, promised the fix would be included in the next software update. It was, and we used that system as a primary data store until the system was retired.
Here’s one you’ll like!
Affecting countless millions of iPhone 6 & 6 s owners …
https://a.msn.com/r/2/BBw2LHe?m=en-us
Yet another example of Apple’s “flawless” products!
🙂
…you so smart, you so clever
Just updated. The advantage of owning the whole widget, eh!?
Three…. that’s fucking right, three! vunrelibities in IOS that fag boy Cook had no fucking idea about until some low level hacker exposed it!
Or did he? Why would he tell you?
“Available for: iPhone 4s and later, iPad 2 and later, …”
Yet the update won’t show for my iPad 3. Stuck at 9.3.2.