Apple fixes three zero-day flaws worth one million dollars

Apple has released a security update to iOS today, responding to three previously unknown nothing-day exploits. These vulnerabilities were exploited by an Israeli outfit NSO Group that sells "cyber arms" to governments. In this instance, the million dollar exploits were used to target a prominent human rights activist in the United Arab Emirates.

Ahmed Mansoor, a human rights activist from the UAE has long been a victim of government hackers. From FinFisher'south highly sophisticated spyware products to Hacking Team'due south Remote Command Organisation, Mansoor has become the face of cyber espionage victims. In the latest of such surveillance attempts, on August x Mansoor received a text message that claimed to share "new secrets" about detainees tortured in the UAE jails. This bulletin was then followed past a link.

Since he has already had experience with government hackers, instead of clicking on the link, Mansoor sent the bulletin to researchers at the Citizen Lab at the University of Toronto'southward Munk School of Global Affairs. The link was afterwards discovered to be a sophisticated piece of spyware that exploitediii unknown zero day vulnerabilities in iOS. These exploits would have allowed hackers to get full control of Mansoor'southward iPhone, including his phone's camera and microphone. Researchers said that NSO Group's software tin can read text messages and emails, track calls and contacts, record sounds, and trace the location of the user.

Once infected, Mansoor's telephone would have get a digital spy in his pocket, capable of employing his iPhone's photographic camera and microphone to snoop on activity in the vicinity of the device, recording his WhatsApp and Viber calls, logging messages sent in mobile chat apps, and tracking his movements.

Apple fixes three nil-mean solar day flaws worth one million dollars

Investigators reported that this is the first time anyone has uncovered an assault that has leveraged iii unknown goose egg-days in the iPhone. Calling the set on Trident, researchers from the Denizen Lab and mobile security company Sentry said that the assail was 1 of the well-nigh sophisticated pieces of cyberespionage software e'er seen. Using iOS vulnerabilities, Trident had the ability to remote jailbreak Mansoor's iPhone six, installing spyware on his phone.

The Trident Exploit Chain:

CVE-2016-4657: Visiting a maliciously crafted website may lead to arbitrary lawmaking execution

CVE-2016-4655: An application may be able to disembalm kernel retentivity

CVE-2016-4656: An application may exist able to execute arbitrary code with kernel privileges

The research on the attack led the team to NSO Group's Pegasus spyware, which is sold exclusively to authorities agencies making it a "legal spyware suite," hinting that this attack was also designed for a authorities agency. NSO Grouping is an Israel-based organization that was acquired by U.S. company Francisco Partners Direction in 2022. According to reports, NSO specializes in "cyber war" and is basically a cyber arms dealer.

Afterward the researchers alerted Apple of these exploits, the visitor immediately worked to fix them and the patch has been released today with iOS 9.3.5. Apple frequently sends regular maintenance and security updates to its iOS mobile operating system. However, today'south release of iOS 9.three.5 is a highly recommended update equally it fixes three zero-day vulnerabilities - said to be worth every bit much as one 1000000 dollars!

iPhone or iOS, naught is secure when information technology comes to the coin and technology that governments have access to. Today'southward report just confirms that. "The people that we come across being targeted past these texts today - dissidents, activists - these are kind of the people on the frontlines of what is to come for all of u.s.a. tomorrow, these guys are sort of the canaries in the coal mine," Denizen Lab's Bill Marczak said.