“Apple Inc issued a patch on Thursday to fix a dangerous security flaw in iPhones and iPads after researchers discovered that a prominent United Arab Emirates dissident’s phone had been targeted with a previously unknown method of hacking,” Joseph Menn reports for Reuters.
“The thwarted attack on the human rights activist, Ahmed Mansoor, used a text message that invited him to click on a web link. Instead of clicking, he forwarded the message to researchers at the University of Toronto’s Citizen Lab,” Menn reports. “The hack is the first known case of software that can remotely take over a fully up-to-date iPhone 6.”
“Experts at Citizen Lab worked with security company Lookout and determined that the link would have installed a program taking advantage of a three flaws that Apple and others were not aware of,” Menn reports. “The researchers said they had alerted Apple a week and a half ago, and the company developed a fix and distributed it as an automatic update to iPhone 6 owners.”
“The Citizen Lab team attributed the attack software to a private seller of monitoring systems, NSO Group, an Israeli company that makes software for governments which can secretly target mobile phones and gather information,” Menn reports. “Tools such as that used in this case, a remote exploit for a current iPhone, cost as much as $1 million.”
Read more in the full article here.
MacDailyNews Take: If you haven’t yet backed up and updated your iOS devices to iOS 9.3.5, please do so ASAP.
About the security content of iOS 9.3.5
For our customers’ protection, Apple doesn’t disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the Apple security updates page.
For more information about security, see the Apple Product Security page. You can encrypt communications with Apple using the Apple Product Security PGP Key.
Apple security documents reference vulnerabilities by CVE-ID when possible.iOS 9.3.5
Released August 25, 2016Kernel
Available for: iPhone 4s and later, iPad 2 and later, iPod touch (5th generation) and later
Impact: An application may be able to disclose kernel memory
Description: A validation issue was addressed through improved input sanitization.
CVE-2016-4655: Citizen Lab and LookoutKernel
Available for: iPhone 4s and later, iPad 2 and later, iPod touch (5th generation) and later
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption issue was addressed through improved memory handling.
CVE-2016-4656: Citizen Lab and LookoutWebKit
Available for: iPhone 4s and later, iPad 2 and later, iPod touch (5th generation) and later
Impact: Visiting a maliciously crafted website may lead to arbitrary code execution
Description: A memory corruption issue was addressed through improved memory handling.
CVE-2016-4657: Citizen Lab and LookoutSEE ALSO:
Apple boosts iPhone security after Mideast spyware discovery; releases iOS 9.3.5 – August 25, 2016