Last week, researchers disclosed an uncommon discovery: a zero-day iOS vulnerability that didn’t just work, but was actively being used by at least one government against a dissident. It turns out that mobile vulnerability works for Safari on Apple’s OS X as well, which is why you should go install the latest updates on your computer right now. (If you haven’t updated iOS on your iPhone or iPad yet—go do that first.)
Apple released Safari 9.1.3 and the OS X security update yesterday, citing the work of Citizen Lab and Lookout, the two research teams that discovered the iOS exploit that Apple patched last week. The description of the vulnerability in the Safari update release notes says that “visiting a maliciously crafted website may lead to arbitrary code execution,” which sounds identical to last week’s iOS flaw.
That exploit allowed hackers to take full control over a victim’s device simply by tricking them into clicking on a malicious link. Created by a shadowy cyberarms groups called NSO Group, the attack was discovered after a human rights activist named Ahmed Mansoor received two suspicious SMS messages. Suspecting a phishing attempt, he contacted researchers at Citizen Lab, who were able to identify the exploit’s exact mechanisms.
It’s not surprising that Apple’s desktop products are also affected; the vulnerability lies in Safari’s WebKit, the engine that drives web browsing on all of Apple’s hardware products.
Little is known about NSO Group, but it typically sells to nation-states. In Mansoor’s case, it was likely the United Arab Emirates behind the snooping. Even if you’re not a political target, though, it’s prudent to protect yourself, especially since peace of mind is just a couple of quick updates away.
