A week after fixing three critical vulnerabilities in iOS that were used in an attack on a human rights activist, Apple has released patches for the same bugs in Safari and OS X.
The vulnerabilities include two flaws in the OS X kernel and a WebKit bug, which was fixed in the Safari browser. One of the kernel vulnerabilities can allow an attacker to execute arbitrary code with the same privileges as the kernel, and the other one can allow an app to disclose kernel memory. The third vulnerability is a memory corruption bug in WebKit that can allow arbitrary code execution if a user clicks on a malicious link.
All three of these vulnerabilities were discovered last month when a human rights activist in the United Arab Emirates was targeted in attack that attempted to exploit them. The victim forwarded the link that was sent to him during the exploit attempt to researchers at Citizen Lab at the University of Toronto, who discovered that the exploits were linked to a firm in Israel that sells intrusion software.
“We recognized the links as belonging to an exploit infrastructure connected to NSO Group, an Israel-based ‘cyber war’ company that sellsPegasus, a government-exclusive ‘lawful intercept’ spyware product,” Citizen Lab said in a report on the incident.
“The ensuing investigation, a collaboration between researchers from Citizen Lab and from Lookout Security, determined that the links led to a chain of zero-day exploits (“zero-days”) that would have remotely jailbroken Mansoor’s stock iPhone 6 and installed sophisticated spyware.”
Apple patched these three vulnerabilities in both the El Capitan and Yosemite versions of OS X. The fixes weren’t part of a larger OS X update, but were just standalone patches, which is rare for Apple.