Citizen Lab and Lookout identified three vulnerabilities (CVE-2016-4655, CVE-2016-4657, CVE-2016-4658) that allowed Pegasus owners to take control of iOS devices from a remote location with minimal interaction from the user.
Advertisement
Apple today released Security Update 2016-001 for OS X El Capitan users, introducing important security fixes to the operating system.
Security vendor Lookout together with researchers from University of Toronto’s Citizen Lab are credited with finding the bugs in iOS and OS X. The issue fixed is that “a memory corruption issue was addressed through improved memory handling”.
The other update is for Safari, which brings the version number of the app to 9.1.3.
This vulnerability is an exact mirror of CVE-2016-4658, a vulnerability that affected the Webkit engine (used by Safari) deployed on iOS devices.
On Thursday, Apple provided another set of security updates, this time for the Mac.
Apple issued a patch today to fix that, but you’ll need Yosemite or El Capitan to receive protection from these exploits.
In its advisory, Apple warned that visiting a “maliciously crafted website” through its Safari browser could allow hackers to execute arbitrary code on a victim’s computer. These are similar to the issues that were present in iOS.
Advertisement
The zero-days were included in the Pegasus spyware made by American-owned Israeli company NSO Group, which specialises in kernel-level exploitation.
