September brings us a updates for Safari and Mac OS X which appears to be a late response to the iOS zero day vulnerabilities patched last week in iOS 9.3.5. Because of the nature of the exploits in these vulnerabilities and the small size of the update, these updates should be treated as critical and applied quickly.
To better understand these updates, we must explore iOS 9.3.5 that came out on August 25, 2016. Deep analysis by Lookout and Citizen Lab, found that a spyware product called Pegasus uses zero-day vulnerabilities and sophisticated techniques for targeted attacks on mobile devices. The three vulnerabilities in use are being dubbed the Trident Exploit Chain:
- CVE-2016-4657: Visiting a maliciously crafted website may lead to arbitrary code execution
- CVE-2016-4655: An application may be able to disclose kernel memory
- CVE-2016-4656: An application may be able to execute arbitrary code with kernel privileges
To summarize the exploit actions, here is a summary from Lookout:
“The attack sequence, boiled down, is a classic phishing scheme: send text message, open web browser, load page, exploit vulnerabilities, install persistent software to gather information. This, however, happens invisibly and silently, such that victims do not know they’ve been compromised.
Read more: Sophisticated, persistent mobile attack against high-value targets on iOS”
Once installed, the spyware can be used to gather data from the phones including calls, messages, and app data. Targets for these attacks include a human rights activist from the United Arab Emirates, a Mexican journalist, and unknown individuals from Kenya.
Security Update 2016-001 El Capitan and Security Update 2016-005 Yosemite
The two kernel vulnerabilities were included in these updates. With iOS 9.3.5 as a background, there are a few insights. First, OS X and iOS share a lot of code. This has always been known, but this update really reinforces this reality. Exploits may target one platform over the other, but potential for exploit often exists on both platforms. The second insight or question is why the delay? Obviously, the exploit chain was being used on iOS, but the same actions of phishing, opening a browser and loading malicious code on Mac OS X. It could be a simple case of engineering timelines, but security teams should again consider what happens on iOS may affect Mac OS X and vice versa.
Noticeably absent from these updates are an update for the nearly 3-year-old OS X Mavericks. There are a few conclusions that you can make based on this difference: OS Mavericks isn’t vulnerable or Apple didn’t chose to fix these issues. If there has ever been vulnerabilities worth fixing, this set would be it. That said, if I’m a betting man, I say that Apple decided not to fix these issues. As I’ve noted in previous articles, Apple is selective about fixing issues for the older versions of Mac OS X and staying current on the latest version is important as applying the latest patches. I can’t state for fact that OS X Mavericks is vulnerable, but I would be shocked if somehow it didn’t have these vulnerabilities.
Safari 9.1.3 fixes the vulnerability where a maliciously crafted website may lead to arbitrary code execution. We see such vulnerabilities addressed in almost every Safari update and should be a warning as these are prime for exploit through phishing or any other method which cons unsuspecting users to click on a link.
If there are few takeaways for IT and security teams here, they are:
- Consider iOS and Mac OS X vulnerabilities to be related to each other
- Older versions of Mac OS X are not going to have updates to fix every vulnerability including obvious critical ones
- Don’t ignore your Apple devices – they get exploited too