Apple patches two new zero-days in OS X and Safari.Apple released today two security bulletins for OS X and Safari aimed to fix three vulnerabilities related to the now infamous Pegasus surveillance kit (spyware) created and sold by NSO Group.
Even if NSO Group sold the Pegasus kit for years, a report released by political cyber-espionage researchers from Citizen Lab and mobile security vendor Lookout, only now drew the world’s attention to their product.
Citizen Lab and Lookout identified three vulnerabilities (CVE-2016-4655, CVE-2016-4657, CVE-2016-4658) that allowed Pegasus owners to take control of iOS devices from a remote location with minimal interaction from the user.
Apple patched the flaws last week, but today announced new fixes for two new zero-days, along with an OS X patch for one of the previous iOS zero-days that also affected its desktop OS.
Apple fixes new zero-days exploited by Pegasus
The company patched CVE-2016-4654 in Safari 9.1.3. This is a memory corruption flaw that allows Pegasus to run arbitrary code on OS X, if he tricks a user to access a website through a vulnerable Safari instance.
This vulnerability is an exact mirror of CVE-2016-4658, a vulnerability that affected the Webkit engine (used by Safari) deployed on iOS devices.
For OS X, Apple patched CVE-2016-4655 and CVE-2016-4656. The first issue is an information leak that affected iOS and was patched last week, with the OS X patch coming today.
CVE-2016-4656 is a memory corruption issue that allows OS X apps to run arbitrary code with kernel privileges.
Apple users should update to Safari 9.1.3, OS X Yosemite v10.10.5 and OS X El Capitan v10.11.6.
Zero-days used for government surveillance
All these bugs show NSO’s ability to create a super-spying toolkit that allowed its customers, usually oppressive governments, to spy on their targets.
It’s currently unknown for how many years has NSO Group been in possession of these zero-days, and how many victims were arrested, tortured, sent to jail or even killed thanks to the company’s decision to sell surveillance software to regimes with a very bad track record regarding privacy and human rights.
Citizen Lab says it detected governments using Pegasus against their own citizens in Mexico, Kenya, and the United Arab Emirates.