- Jan 24, 2011
- 9,378
Independent researchers tracked down malware sent to a Middle Eastern human-rights activist and alerted Apple, which patched three separate zero-day exploits.
Apple released an update to iOS 9 on Thursday—iOS 9.3.5—that patches multiple critical zero-day vulnerabilities that have been shown to already have been deployed, allegedly by governments to target activists and dissidents, according to a report from Citizen Lab and Lookout Security. Apple turned around an update within 10 days from when the company received Citizen Lab’s initial report. The update is recommended immediately for all iOS 9 devices.
When used together, the exploits allow someone to hijack an iOS device and control or monitor it remotely. Hijackers would have access to the device’s camera and microphone, and could capture audio calls even in otherwise end-to-end secured apps like WhatsApp. They could also grab stored images, tracking movements, and retrieve files.
Some of the exploits may have been discovered months ago or longer, so there’s no way to know how widely they’re in use, but details suggest these active exploits in previous versions of iOS 9 weren’t in wide use and were deployed against individual targets.
“What we have seen from looking at these exploits is that it seems that they have been in the wild a bit longer than the 9.3.3/9.3.4 timeframe,” report co-author Bill Marczak of Citizen Lab said in an interview. iOS 9.3.3 was released on July 18.
An Apple spokesperson said, “We were made aware of this vulnerability and immediately fixed it with iOS 9.3.5. We advise all of our customers to always download the latest version of iOS to protect themselves against potential security exploits.”
Jailbreaks have been demonstrated but not yet released for iOS 9.3.4, and it’s possible those jailbreaks relied on one or more aspects of the three flaws now patched.
Read more: Apple advises immediate update to iOS 9.3.5 after discovery of targeted iPhone spyware
Apple released an update to iOS 9 on Thursday—iOS 9.3.5—that patches multiple critical zero-day vulnerabilities that have been shown to already have been deployed, allegedly by governments to target activists and dissidents, according to a report from Citizen Lab and Lookout Security. Apple turned around an update within 10 days from when the company received Citizen Lab’s initial report. The update is recommended immediately for all iOS 9 devices.
When used together, the exploits allow someone to hijack an iOS device and control or monitor it remotely. Hijackers would have access to the device’s camera and microphone, and could capture audio calls even in otherwise end-to-end secured apps like WhatsApp. They could also grab stored images, tracking movements, and retrieve files.
Some of the exploits may have been discovered months ago or longer, so there’s no way to know how widely they’re in use, but details suggest these active exploits in previous versions of iOS 9 weren’t in wide use and were deployed against individual targets.
“What we have seen from looking at these exploits is that it seems that they have been in the wild a bit longer than the 9.3.3/9.3.4 timeframe,” report co-author Bill Marczak of Citizen Lab said in an interview. iOS 9.3.3 was released on July 18.
An Apple spokesperson said, “We were made aware of this vulnerability and immediately fixed it with iOS 9.3.5. We advise all of our customers to always download the latest version of iOS to protect themselves against potential security exploits.”
Jailbreaks have been demonstrated but not yet released for iOS 9.3.4, and it’s possible those jailbreaks relied on one or more aspects of the three flaws now patched.
Read more: Apple advises immediate update to iOS 9.3.5 after discovery of targeted iPhone spyware
