Apple Issues Patch For Mac OS X To Protect Against iOS Spying Flaw

Apple has had to move quickly on the security front once again with the news that it has rushed out an emergency patch for Mac OS X systems.

It comes after Apple had rushed out a patch in late August for its iOS devices, after exploit code (dubbed Trident) alleged from a Middle East government could have turned the iPhone of a human rights activist into a spyware device with just one click.

Why So Long?

The human right activist in question was Ahmed Mansoor who is based in the United Arab Emirates (UAE).

Mansoor had received a SMS message on his iPhone which contained a link that promised “new secrets” about detainees tortured in UAE jails, if he clicked on it.

But Mansoor was suspicious and instead sent the message to Citizen Lab researchers, who “recognised the links as belonging to an exploit infrastructure connected to NSO Group, an Israel-based “cyber war” company that sells Pegasus, a government-exclusive “lawful intercept” spyware product.”

The researchers then discovered that the link led to a chain of iOS zero-day exploits that would have remotely jailbroken Mansoor’s stock iPhone 6 and installed sophisticated spyware.

The exploit chain was called ‘Trident’, and once it had infected Mansoor’s iPhone, it would have turned the Apple device into a digital spy in his pocket, by utilising his camera and microphone. The spyware would have also recorded his WhatsApp and Viber calls, logged messages sent in mobile chat apps, and tracked his movements, said the Citizen Lab researchers.

But now it seems that the exploit also affects Apple desktop products as well after the iPad maker rushed out a further patch that tackles the same zero-day flaws in its Mac OS X desktop operating system, as well as the desktop version of its OS X Safari browser.

“You may not be a human rights activist, but the fact that it took Apple *days* to issue a fix for OS X users after patching the same vulnerabilities in iOS has opened an opportunity for others to potentially exploit them against desktop users,” warned security expert Graham Cluley.

“In an ideal world, Apple would have patched its mobile and desktop operating systems at the same time,” he blogged. “What we don’t know is whether Apple didn’t know the vulnerability was also present in OS X when it issued the iOS fixes, or whether it made the difficult decision to urgently update iOS even though its equivalent OS X fixes weren’t yet ready.”

Apple Security

Apple has over the years enjoyed a good reputation when it comes to security, but it does have security vulnerabilities, and has had to issue a growing number of patches and updates of late.

Earlier this year security experts and a US government agency advised Windows users to immediately uninstall Apple’s media player Quicktime from their PCs. That warning came after Apple suddenly decided to no longer provide security updates for QuickTime for Windows, leaving the PC version vulnerable to exploitation.

Prior to that in March Apple users were urged to update to the latest versions of iOS and OS X to stay protected from a new zero-day vulnerability that was affecting all previous versions of the software.

And Apple has also been accused by renowned security researcher Stefan Esserof of covering up possible security weaknesses by withdrawing his app from the App Store.

He alleged that Apple’s main motivation for the move was to maintain the appearance that iOS is secure.

Are you a security expert? Try our quiz!