Mac OS X and Safari underwent a few updates today which appear to be a late response to the iOS zero-day vulnerabilities patched last week on iOS 9.3.5. These updates should be treated as critical and quickly applied quickly.

iOS 9.3.5

First, we must we must explore iOS 9.3.5 that came out on August 25, 2016 in order to better understand these updates.

Lookout and Citizen Lab analysts found that Pegasus, a spyware product, uses zero-day vulnerabilities and sophisticated techniques for mobile-targeted attacks.

This "Trident Exploit Chain" (the three vulnerabilities) are the following:

  • CVE-2016-4657: Visiting a maliciously crafted website may lead to arbitrary code execution
  • CVE-2016-4655: An application may be able to disclose kernel memory
  • CVE-2016-4656: An application may be able to execute arbitrary code with kernel privileges

The exploit actions are summarized by Lookout:

“The attack sequence, boiled down, is a classic phishing scheme: send text message, open web browser, load page, exploit vulnerabilities, install persistent software to gather information. This, however, happens invisibly and silently, such that victims do not know they’ve been compromised."

The spyware, once installed, can be used to gather data from everything from messages, phone calls, and application data. It has already targeted a human rights activitst from the United Arab Emirates, unknown people from Kenya, and a Mexican journalist.

Security Update 2016-001 El Capitan and Security Update 2016-005 Yosemite

These updates also included two kernal vulnerabilities.

There are a few insights with iOS 9.3.5 as a background. For starters, OS X and iOS have a lot of code in common. This isn't news, but the latest update reinforces this fact. The potential for exploits exists on both platforms.

Secondly, why the delay? It could be a case of engineering timelines, but security professionals should again consider that what happens on iOS may affect Mac OS X and the other way around.

Noticeably absent from these updates is an update for the nearly three-year-old OS X Mavericks. There are a few conclusions that you can make based on this difference: OS Mavericks isn’t vulnerable, or Apple didn’t choose to fix these issues.

If there have ever been vulnerabilities worth fixing, this set would be it. That said, if I’m a betting man, I would say that Apple decided not to fix these issues. As I’ve noted in previous articles, Apple is selective about fixing issues for the older versions of Mac OS X and staying current on the latest version is important as applying the latest patches. I can’t state for a fact that OS X Mavericks is vulnerable, but I would be shocked if somehow it didn’t have these vulnerabilities.

Safari 9.1.3

Safari 9.1.3 fixes the vulnerability where a maliciously crafted website may lead to arbitrary code execution. We see such vulnerabilities addressed in almost every Safari update and, this should be a warning as these are prime for exploit through phishing or any other method which cons unsuspecting users to click on a link.

Summary

If there are few takeaways for IT and security teams here, they are:

  • Consider iOS and Mac OS X vulnerabilities to be related to each other
  • Older versions of Mac OS X are not going to have updates to fix every vulnerability including obvious critical ones
  • Don’t ignore your Apple devices – they get exploited too