September 6, 2016 By Douglas Bonderud 2 min read

First iPhone, now Mac — as noted by IT World, Apple just rolled out an emergency security update for OS X to address three zero-day flaws that could help cybercriminals take total control of mobile, desktop or laptop devices.

Discovered by Lookout Mobile and Citizen Lab, the trio of troublesome exploits was kept under wraps until Apple put together a patch for iOS last week. But with similar code structures, OS X was also under threat, prompting a new update for Mac. Time put it simply: “You need to update your Apple computer right now.”

A Critical Security Update

According to The Guardian, this new security update fixes problems in El Capitan and Yosemite to plug holes in both the Safari browser and the underlying OS. Older OS Maverick is left out of the loop, since Apple will soon be releasing its 2017 update and Maverick has almost reached the end of support.

So why all the urgency surrounding this new patch? It all started with activist Ahmed Mansour in the United Arab Emirates. At the beginning of August, Mansour received two odd messages about dissidents being held in the country and forwarded them to security researchers. They discovered an emergent type of iOS spyware that could hijack a user’s phone just by opening a Safari link.

Although Apple moved quickly to create a mobile fix, there’s no word on why its similar desktop architecture took a week longer to secure, especially since it would have been possible for cybercriminals to leverage this code and craft a Mac-specific attack post-disclosure.

So far, no reports have emerged about OS X systems turned spy, but it’s a good idea for Mac users to update their systems ASAP.

3 x 0 = Trident

Termed Trident by the Lookout security team, the three zero-day exploits were used to attack Mansour’s phone. Lookout described it as “the most sophisticated attack we’ve seen on any endpoint” since it leverages the three vulnerabilities in succession to manipulate the way users typically interact with their mobile device.

Here’s a breakdown of the vulnerabilities:

  1. CVE-2016-4655 is an information leak in Kernel that lets attackers calculate the kernel’s location in memory.
  2. CVE-2016-4656 is a Kernel memory corruption that leads to jailbreak. Both 32- and 64-bit devices can be silently broken and have new software installed.
  3. CVE-2016-4657 is a memory corruption in Webkit that allows attackers to compromise devices when users click on a Safari link.

All attackers need to do is send a legitimate-looking text with a Safari link. Once it’s opened, they can gain total control of a device without victims ever knowing they’ve been compromised.

Tight Lips

Meanwhile Apple’s official security content page, which details the OS X update, illustrated a situation that hardly seems dire. All it offers is a brief description of the problem and its resolution.

This is common practice for Apple: tight lips in the face of serious vulnerabilities is par for the course. But with zero-day problems now targeting OS X and iOS devices more frequently — and given the possibility of cross-compromise, thanks to similar code — the device and software giant may need to take bigger bites out of bad Apples and make sure any mobile security update is immediately mirrored on Mac.

More from

Airplane cybersecurity: Past, present, future

4 min read - With most aviation processes now digitized, airlines and the aviation industry as a whole must prioritize cybersecurity. If a cyber criminal launches an attack that affects a system involved in aviation — either an airline’s system or a third-party vendor — the entire process, from safety to passenger comfort, may be impacted.To improve security in the aviation industry, the FAA recently proposed new rules to tighten cybersecurity on airplanes. These rules would “protect the equipment, systems and networks of transport…

Protecting your digital assets from non-human identity attacks

4 min read - Untethered data accessibility and workflow automation are now foundational elements of most digital infrastructures. With the right applications and protocols in place, businesses no longer need to feel restricted by their lack of manpower or technical capabilities — machines are now filling those gaps.The use of non-human identities (NHIs) to power business-critical applications — especially those used in cloud computing environments or when facilitating service-to-service connections — has opened the doors for seamless operational efficiency. Unfortunately, these doors aren’t the…

Communication platforms play a major role in data breach risks

4 min read - Every online activity or task brings at least some level of cybersecurity risk, but some have more risk than others. Kiteworks Sensitive Content Communications Report found that this is especially true when it comes to using communication tools.When it comes to cybersecurity, communicating means more than just talking to another person; it includes any activity where you are transferring data from one point online to another. Companies use a wide range of different types of tools to communicate, including email,…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today