Apple has rushed out an urgent patch for the iPhone following an attack on a human rights lawyer's device believed to have been made by the security forces of a repressive regime with the help of a shadowy IT security company.
The patch was put together after Apple was alerted to a "sophisticated" spyware threat affecting iOS that exploited a number of zero-day vulnerabilities that the security company had reportedly purchased.
iOS 9.3.5 was rushed out on Thursday in response after security company Lookout and watchdog Citizen Lab informed Apple about the spyware threat that takes advantage of three previously unknown vulnerabilities in the iOS code.
- CVE-2016-4655 - an input validation flaw that could allow iOS kernel memory contents to be viewed by an installed app;
- CVE-2016-4656 - a remote code execution from memory corruption flaw in the iOS kernel that can be exploited by an installed app;
- CVE-2016-4657 - a remote code execution flaw in WebKit that could enable an attacker to jailbreak and install malware on an iOS device by way of a specially crafted web page.
Lookout collectively calls the three zero-day vulnerabilities Trident, and warned that they could enable personal data to be accessed after simply opening a link sent in a text message.
"It infects a user's phone invisibly and silently, such that victims do not know they’ve been compromised," the company said.
The discovery was made after human rights lawyer Ahmed Mansoor alerted security researchers to unsolicited text messages he had received on his iPhone.
Following the link would have jailbroken his phone and infected it with malware capable of logging encrypted messages, activating the microphone and tracking the handset's movements.
"Pegasus is professionally developed and highly advanced in its use of zero-day vulnerabilities, code obfuscation and encryption," the researchers wrote.
"It uses sophisticated function-hooking to subvert operating system and application-layer security in voice/audio calls and apps including Gmail, Facebook, WhatsApp, FaceTime, Viber, WeChat, Telegram, Apple’s built-in messaging and email apps, and others.
"It steals the victim’s contact list and GPS location, as well as personal, WiFi and router passwords stored on the device."
Apple is said to have fixed the faults 10 days after Lookout sounded the alarm.
"We were made aware of this vulnerability and immediately fixed it with iOS 9.3.5. We advise all our customers to always download the latest version of iOS to protect themselves against potential security exploits," the firm said in a statement.
Apple has also confirmed that the bugs were fixed in the latest versions of the iOS 10 public and developer betas pushed out last week.
Campaigners want US authorities to break-up Instagram, WhatsApp and Messenger into separate companies
The perception of the industry as "a white man in a hard hat" is limiting new applicants, says Hayaatun Sillem
Almost two years late - and just as AMD is readying 7nm Zen 2 for early 2019
Eye-wateringly expensive smart speakers take just six per cent market share, claims Strategy Analytics