Apple patches two new zero-days in OS X and Safari

Sep 2, 2016 02:30 GMT  ·  By

Apple has released today two security bulletins for OS X and Safari aimed at fixing three vulnerabilities related to the now-infamous Pegasus surveillance kit (spyware) created and sold by NSO Group.

Even if NSO Group has sold the Pegasus kit for years, a report released by political cyber-espionage researchers from Citizen Lab and mobile security vendor Lookout has only now drawn the world's attention to their product.

Citizen Lab and Lookout identified three vulnerabilities (CVE-2016-4655, CVE-2016-4657, CVE-2016-4658) that allowed Pegasus owners to take control of iOS devices from a remote location with minimal interaction from the user.

Apple patched the flaws last week, but today it has announced new fixes for two other zero-days, along with an OS X patch for one of the previous iOS zero-days that also affected its desktop OS.

Apple fixes new zero-days exploited by Pegasus

The company has patched CVE-2016-4654 in Safari 9.1.3. This is a memory corruption flaw that allows Pegasus to run arbitrary code on OS X if it tricks a user into accessing a website through a vulnerable Safari instance.

This vulnerability is an exact mirror of CVE-2016-4658, a vulnerability that affected the Webkit engine (used by Safari) deployed on iOS devices.

For OS X, Apple patched CVE-2016-4655 and CVE-2016-4656. The first issue is an information leak that affected iOS and was solved last week, with the OS X patch coming today.

CVE-2016-4656 is a memory corruption issue that allows OS X apps to run arbitrary code with kernel privileges.

Apple users should update to Safari 9.1.3, OS X Yosemite v10.10.5, and OS X El Capitan v10.11.6.

Zero-days used for government surveillance

All these bugs show NSO's ability to create a super-spying toolkit that allowed its customers, usually oppressive governments, to spy on their targets.

It's currently unknown for how many years has NSO Group been in possession of these zero-days, and how many victims have been arrested, tortured, sent to jail or even killed due to the company's decision to sell surveillance software to regimes with a very bad track record of privacy and human rights.

Citizen Lab says it detected governments using Pegasus against their own citizens in Mexico, Kenya, and the United Arab Emirates.