The disclosure a week ago that three Apple iOS zero days were used to spy on a political dissident from the United Arab Emirates included high-profile exposes of the activities of a cyber arms-dealing outfit in Israel known as the NSO Group and an emergency update for iOS.
Last night, Apple expanded the scope of the situation with patches for the same trio of vulnerabilities in OS X and Safari.
Apple did not respond in time for publication to a request as to why it took them a week to address the same bugs in its desktop OS and flagship browser.
The vulnerabilities, known as Trident, can be used to compromise iOS or OS X devices and execute arbitrary code. The zero days were privately disclosed to Apple by Citizen Lab, which is based at the Munk School of Global Affairs at the University of Toronto, and by mobile security company Lookout. Citizen Lab and Lookout published some technical details on how the vulnerabilities were used in iOS to spy on Ahmed Mansoor, an acclaimed activist in the UAE.
Mansoor, in early August, received suspicious and targeted text messages that included a link. Mansoor passed the message on to contacts at Citizen Lab who analyzed the potential attack and connected it to NSO Group.
NSO Group’s wares are not the first to be used against Mansoor; in 2011, FinFisher spyware and in 2012, Hacking Team spyware were used against the human rights defender, Citizen Lab and Lookout said.
Apple yesterday patched two kernel vulnerabilities in OS X (Yosemite 10.10.5 and El Capitan 10.11.6); CVE-2016-4655 discloses kernel memory, while CVE-2106-4656 is a memory corruption bug that exposes OS X to arbitrary code execution with kernel privileges.
One vulnerability, CVE-2016-4657, was patched in Safari 9.1.3. The bug is in the WebKit implementation in the browser where an attacker could lure the victim to a site hosting an exploit and be able to execute arbitrary code on the machine.
In iOS, the WebKit vulnerability was particularly dangerous since its allows for complete compromise with just a click of a link, for example. Lookout said the kernel information leak vulnerability allows an attacker to learn kernel location in memory, while the second kernel bug allows for a silent jailbreak of the device and the installation, in Mansoor’s case, of surveillance software called Pegasus.
NSO Group is alleged to have sold Pegasus to governments in order to spy on high-value targets.
Citizen Lab said Mansoor was not the only one infected with Pegasus spyware; Mexican journalist Rafael Cabrera had also been targeted.
“This shows that some governments are willing to spend huge amounts of money to get into the minds and private communications of people who are in this sort of position,” said Citizen Lab researcher John Scott-Railton in an interview with Threatpost. “This research shows the power of independent organizations like Citizen Lab doing work with dissidents and other groups that don’t have the resources and money to pay for enterprise-grade security. Just because they can’t defend themselves against it, doesn’t mean they won’t be targets of sophisticated malware. Going forward we expect so see more attacks of this type,” he said.
iOS zero days have tremendous value in vulnerability markets. Exploit vendor Zerodium last September put up a month-long million-dollar bounty looking for iOS 9 zero-day vulnerabilities. The company, started by VUPEN founder Chaouki Bekrar, buys zero days for all major mobile and desktop platforms and for third-party software and said the attacks it purchases are built into a feed of vulnerabilities, exploits and defensive capabilities for its customers. Bekrar denied in a tweet that the Apple zero days came from his company.
The iOS zero-days allegedly linked to NSO are Not ours and are Not related to @Zerodium, but thank you for asking. #0days #WildWildWest
— Chaouki Bekrar (@cBekrar) August 26, 2016
Pegasus spyware, meanwhile, can be leveraged to spy on phone calls, SMS messages and media on the device such as the microphone or camera. Lookout researcher Andrew Blaich said that the zero days, or variants thereof, could have been used since 2013 dating back to iOS 7.
