Apple also fixes zero days in OS X after iOS
Apple has released a security patch for OS X versions Yosemite and El Capitan, which fixes two vulnerabilities. An update was also released for the Safari browser, which also fixes a security vulnerability.
Details about the update have been posted by Apple on its website. These are two leaks with identification codes CVE-2016-4655 and CVE-2016-4656. Both are so-called zero day vulnerabilities that allow unauthorized access to the kernel. Furthermore, Safari version 9.1.3 was released, which fixed a third zero day vulnerability. This was CVE-2016-4657, and details of the patch are on Apple’s website.
The update follows after Apple released version 9.3.5 of iOS earlier this week. This also eliminated these three zero days. The security holes allowed attackers to gain access to the kernel of an iOS device. This allows data such as messages, telephone conversations and information from all kinds of apps to be stolen. All three security holes were found by Citizen Lab and Lookout companies. Because Apple uses a lot of the same code for OS X and iOS, the bugs can be found in both the mobile and desktop OS.
The zero days in question may have been abused for years. Malware called Pegasus has surfaced, and research into the software in question is said to have led to the Israeli NSO Group, owned by the American Francisco Partners.