Apple issued critical updates for OS X Yosemite and El Capitan on Thursday to patch security vulnerabilities resembling those discovered on iOS 9.3.5 earlier this week. Dubbed Trident, the three zero-day vulnerabilities (CVE-2016-4655, CVE-2016-4656 and CVE-2016-4657) could allow an attacker to silently jailbreak an iOS device and spy on victims, warned researchers at Citizen Lab and Lookout, who first identified the flaws. An adversary can then collect information from numerous widely used apps, including Gmail, Facebook, WhatsApp, Skype, Calendar, FaceTime and more. One week after Apple issued a fix for iOS, the firm released a patch to resolve the CVE-2016-4655 and CVE-2016-4656 vulnerabilities in OS X Yosemite (v10.10.5) and OS X El Capitan (v10.11.6), as well as a patch for CVE-2016-4657 affecting Safari in both OS X Mavericks (v10.9.5) and OS X Yosemite (v10.10.5). According to reports, the flaws were being actively exploited in a spyware product called Pegasus. The surveillance software was allegedly developed and sold by an Israeli-based “cyber warfare” firm known as NSO Group, whose clientele is primarily comprised of governments. In an in-depth report by Lookout and Citizen Lab, the researchers disclosed how the vulnerabilities were used to spy on UAE activist Ahmed Mansoor. Following the news of the zero-day flaws impacting Apple devices, Congressman Ted Lieu issued a statement urging the U.S. government to pay closer attention to mobile security:
“I am pleased that Apple was able to quickly address this security breach, but it is clear that Congress must do more to address the issues of mobile security,” said Congressman Ted W. Lieu.
“I believe a congressional hearing is in order and plan to work with my colleagues to examine these critical security concerns,” Congressman Ted W. Lieu added.
