Last week, Apple issued a surprise security fix for iOS that patched a vulnerability that allowed attackers to remotely gain control of a user’s device if they simply clicked a link. Now, Apple has issued the same security patch for users of OS X 10.11.6 El Capitan and 10.10.5 Yosemite.

Sylvania HomeKit Light Strip

The vulnerability has been named “Pegasus” and takes advantage of zero-day vulnerabilities to remotely jailbreak and install monitoring software on a user’s device, obviously without the user’s knowledge. Part of the exploit takes advantage of a memory corruption flaw in Safari WebKit that allows hackers to initiate the process of overtaking the operating system.

One of the nastiest aspects of this vulnerability is that it allows the attacker to intercept information from a variety of third-party apps and services, including Gmail, Facebook, Skype, WeChat, and more. These are, of course, in addition to first-party services like iMessage and FaceTime.

Last week, iOS 9.3.5 patched the same exploit. At the time, The New York Times described the exploit as an effort “to spy on dissidents and journalists.” Because the mobile and desktop versions of Safari share similar code, the exploit was essentially cross-platform.

Apple writes the following about the Safari 9.1.3 WebKit update on its support website:

WebKit

  • Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, and OS X El Capitan v10.11.6
  • Impact: Visiting a maliciously crafted website may lead to arbitrary code execution
  • Description: A memory corruption issue was addressed through improved memory handling.
  • CVE-2016-4654: Citizen Lab and Lookout

Kernel

  • Available for: OS X Yosemite v10.10.5 and OS X El Capitan v10.11.6
  • Impact: An application may be able to disclose kernel memory
  • Description: A validation issue was addressed through improved input sanitization.
  • CVE-2016-4655: Citizen Lab and Lookout

Kernel

  • Available for: OS X Yosemite v10.10.5 and OS X El Capitan v10.11.6
  • Impact: An application may be able to execute arbitrary code with kernel privileges
  • Description: A memory corruption issue was addressed through improved memory handling.
  • CVE-2016-4656: Citizen Lab and Lookout

Needless to say, this flaw shouldn’t be taken lightly and all OS X users should update immediately.

About the Author