It turns out that the critical zero-day security vulnerabilities disclosed last week, which targeted iPhone and iPad users, affect Mac users as well.
Late last week, Apple rolled out iOS 9.3.5 update to patch a total of three zero-day vulnerabilities that hackers could have used to remotely gain control of an iPhone by simply making the victim click a link.
Dubbed "Trident," the security holes were used to create spyware (surveillance malware) called 'Pegasus' that was apparently used to target human rights activist Ahmed Mansoor in the United Arab Emirates.
Pegasus could allow an attacker to access an incredible amount of data on a target victim, including text messages, calendar entries, emails, WhatsApp messages, user's location, microphone.
Pegasus Spyware could even allow an attacker to fully download victim's passwords and steal the stored list of WiFi networks, as well as passwords the device connected to.
Apple is now patching the same "Trident" bugs in Safari web browser on its desktop operating system, with urgent security updates for Safari 9 as well as OS X Yosemite and OS X El Capitan.
However, this is not a surprise because iOS and OS X, and mobile and desktop version of Safari browser share much of the same codebase. Therefore, zero-days in Apple's iOS showed up in OS X as well.
Level-Up SaaS Security: A Comprehensive Guide to ITDR and SSPM
Stay ahead with actionable insights on how ITDR identifies and mitigates threats. Learn about the indispensable role of SSPM in ensuring your identity remains unbreachable.Supercharge Your Skills
Pegasus exploit takes advantage of Trident bugs to remotely jailbreak and install a collection of spying software onto a victim's device, without the user's knowledge.
One of the key tools of the exploit takes advantage of a memory corruption bug in Safari WebKit, allowing hackers to deliver the malicious payload when a target victim clicks on a malicious link and initiate the process of overtaking the operating system.
In an advisory, Apple warned that visiting a "maliciously crafted website" via Safari browser could allow attackers to execute arbitrary code on a victim's computer.
The patch updates that Apple released on Thursday fix the nasty Trident bugs, including CVE-2016-4654, CVE-2016-4655, and CVE-2016-4656, which were initially discovered and reported by mobile security startup Lookout and the University of Toronto's Citizen Lab.
Based on a link sent to UAE human rights activist Ahmed Mansoor, Lookout Security, and Citizen Lab traced the three programming blunders and its Pegasus spyware kit to Israeli "cyber war" organization NSO Group, which sells hacking exploits to governments like the UAE.
Users can install security patches for Safari, El Capitan, and Yosemite via the usual software update mechanisms.