Already rolled into the Pegasus spyware product and used to target social activists, the vulnerabilities are fixed in iOS 9.3.5.
Apple, today, released patches for a trio of iOS zero-day vulnerabilities that, when used together, enable an attacker to remotely, silently jailbreak the device phone and install highly sophisticated spyware upon it.
The vulnerabilities, collectively called “Trident,” are patched in iOS version 9.3.5. They include CVE-2016-4655, Memory Corruption in Webkit, CVE-2016-4656, Information leak in Kernel, and CVE-2016-4657, Kernel Memory corruption leads to Jailbreak.
The discovery was made by Lookout and Citizen Lab, who worked with Apple on the patch before making the disclosure. Citizen Lab was tipped off to the bugs first by United Arab Emirates-based human rights defender Ahmed Mansoor, who reported that he had received suspicious text messages. Citizen Lab and Lookout investigated, and found that Mansoor — who has been targeted by “lawful intercept malware” in the past — was now being targeted by Francisco Partners Management’s Pegasus spyware product, which was now equipped to exploit this trio of undisclosed iOS zero-day vulnerabilities.
For more information, see the blog at Lookout.
Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio