Apple Chomps on Critical Zero-Days With Emergency Mac Security Update
First iPhone, now Mac — as noted by IT World, Apple just rolled out an emergency security update for OS X to address three zero-day flaws that could help cybercriminals take total control of mobile, desktop or laptop devices.
Discovered by Lookout Mobile and Citizen Lab, the trio of troublesome exploits was kept under wraps until Apple put together a patch for iOS last week. But with similar code structures, OS X was also under threat, prompting a new update for Mac. Time put it simply: “You need to update your Apple computer right now.”
A Critical Security Update
According to The Guardian, this new security update fixes problems in El Capitan and Yosemite to plug holes in both the Safari browser and the underlying OS. Older OS Maverick is left out of the loop, since Apple will soon be releasing its 2017 update and Maverick has almost reached the end of support.
So why all the urgency surrounding this new patch? It all started with activist Ahmed Mansour in the United Arab Emirates. At the beginning of August, Mansour received two odd messages about dissidents being held in the country and forwarded them to security researchers. They discovered an emergent type of iOS spyware that could hijack a user’s phone just by opening a Safari link.
Although Apple moved quickly to create a mobile fix, there’s no word on why its similar desktop architecture took a week longer to secure, especially since it would have been possible for cybercriminals to leverage this code and craft a Mac-specific attack post-disclosure.
So far, no reports have emerged about OS X systems turned spy, but it’s a good idea for Mac users to update their systems ASAP.
3 x 0 = Trident
Termed Trident by the Lookout security team, the three zero-day exploits were used to attack Mansour’s phone. Lookout described it as “the most sophisticated attack we’ve seen on any endpoint” since it leverages the three vulnerabilities in succession to manipulate the way users typically interact with their mobile device.
Here’s a breakdown of the vulnerabilities:
- CVE-2016-4655 is an information leak in Kernel that lets attackers calculate the kernel’s location in memory.
- CVE-2016-4656 is a Kernel memory corruption that leads to jailbreak. Both 32- and 64-bit devices can be silently broken and have new software installed.
- CVE-2016-4657 is a memory corruption in Webkit that allows attackers to compromise devices when users click on a Safari link.
All attackers need to do is send a legitimate-looking text with a Safari link. Once it’s opened, they can gain total control of a device without victims ever knowing they’ve been compromised.
Meanwhile Apple’s official security content page, which details the OS X update, illustrated a situation that hardly seems dire. All it offers is a brief description of the problem and its resolution.
This is common practice for Apple: tight lips in the face of serious vulnerabilities is par for the course. But with zero-day problems now targeting OS X and iOS devices more frequently — and given the possibility of cross-compromise, thanks to similar code — the device and software giant may need to take bigger bites out of bad Apples and make sure any mobile security update is immediately mirrored on Mac.