September 6, 2016 By Douglas Bonderud 2 min read

First iPhone, now Mac — as noted by IT World, Apple just rolled out an emergency security update for OS X to address three zero-day flaws that could help cybercriminals take total control of mobile, desktop or laptop devices.

Discovered by Lookout Mobile and Citizen Lab, the trio of troublesome exploits was kept under wraps until Apple put together a patch for iOS last week. But with similar code structures, OS X was also under threat, prompting a new update for Mac. Time put it simply: “You need to update your Apple computer right now.”

A Critical Security Update

According to The Guardian, this new security update fixes problems in El Capitan and Yosemite to plug holes in both the Safari browser and the underlying OS. Older OS Maverick is left out of the loop, since Apple will soon be releasing its 2017 update and Maverick has almost reached the end of support.

So why all the urgency surrounding this new patch? It all started with activist Ahmed Mansour in the United Arab Emirates. At the beginning of August, Mansour received two odd messages about dissidents being held in the country and forwarded them to security researchers. They discovered an emergent type of iOS spyware that could hijack a user’s phone just by opening a Safari link.

Although Apple moved quickly to create a mobile fix, there’s no word on why its similar desktop architecture took a week longer to secure, especially since it would have been possible for cybercriminals to leverage this code and craft a Mac-specific attack post-disclosure.

So far, no reports have emerged about OS X systems turned spy, but it’s a good idea for Mac users to update their systems ASAP.

3 x 0 = Trident

Termed Trident by the Lookout security team, the three zero-day exploits were used to attack Mansour’s phone. Lookout described it as “the most sophisticated attack we’ve seen on any endpoint” since it leverages the three vulnerabilities in succession to manipulate the way users typically interact with their mobile device.

Here’s a breakdown of the vulnerabilities:

  1. CVE-2016-4655 is an information leak in Kernel that lets attackers calculate the kernel’s location in memory.
  2. CVE-2016-4656 is a Kernel memory corruption that leads to jailbreak. Both 32- and 64-bit devices can be silently broken and have new software installed.
  3. CVE-2016-4657 is a memory corruption in Webkit that allows attackers to compromise devices when users click on a Safari link.

All attackers need to do is send a legitimate-looking text with a Safari link. Once it’s opened, they can gain total control of a device without victims ever knowing they’ve been compromised.

Tight Lips

Meanwhile Apple’s official security content page, which details the OS X update, illustrated a situation that hardly seems dire. All it offers is a brief description of the problem and its resolution.

This is common practice for Apple: tight lips in the face of serious vulnerabilities is par for the course. But with zero-day problems now targeting OS X and iOS devices more frequently — and given the possibility of cross-compromise, thanks to similar code — the device and software giant may need to take bigger bites out of bad Apples and make sure any mobile security update is immediately mirrored on Mac.

More from

How to craft a comprehensive data cleanliness policy

3 min read - Practicing good data hygiene is critical for today’s businesses. With everything from operational efficiency to cybersecurity readiness relying on the integrity of stored data, having confidence in your organization’s data cleanliness policy is essential.But what does this involve, and how can you ensure your data cleanliness policy checks the right boxes? Luckily, there are practical steps you can follow to ensure data accuracy while mitigating the security and compliance risks that come with poor data hygiene.Understanding the 6 dimensions of…

2024 roundup: Top data breach stories and industry trends

3 min read - With 2025 on the horizon, it’s important to reflect on the developments and various setbacks that happened in cybersecurity this past year. While there have been many improvements in security technologies and growing awareness of emerging cybersecurity threats, 2024 was also a hard reminder that the ongoing fight against cyber criminals is far from over.We've summarized this past year's top five data breach stories and industry trends, with key takeaways from each that organizations should note going into the following…

Black Friday chaos: The return of Gozi malware

4 min read - On November 29th, 2024, Black Friday, shoppers flooded online stores to grab the best deals of the year. But while consumers were busy filling their carts, cyber criminals were also seizing the opportunity to exploit the shopping frenzy. Our system detected a significant surge in Gozi malware activity, targeting financial institutions across North America. The Black Friday connection Black Friday creates an ideal environment for cyber criminals to thrive. The combination of skyrocketing transaction volumes, a surge in online activity…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today