Apple has released the latest iOS security update for iDevice users. The update iOS 9.3.5 has been released to fix 3 major vulnerabilities in iOS which puts the devices at a great risk of being hacked or infected with malicious software. Apple published a security bulletin announcing the release of iOS security update (9.3.5) . As per the security bulletin, the update fixes 3 security issues which are :
- Kernel Bug: This bug allows an application to disclose Kernel memory. The update has been released for iPhone 4s and later, iPad 2 and later, iPod touch (5th generation) and later devices.
- Kernel Bug: This bug allows an application to execute an arbitrary code with Kernel privileges. The update has been released for iPhone 4s and later, iPad 2 and later, iPod touch (5th generation) and later
- WebKit Bug: This bug allows execution of an arbitrary code if the user visits any maliciously crafted website. The update has been released for iPhone 4s and later, iPad 2 and later, iPod touch (5th generation) and later.
A hacker can use these 3 vulnerabilities in combination to carry out a successful exploit. The attack usually starts by redirecting a user to a malicious website through Social Engineering. Once the user reaches the infected website, his device downloads a malware and the hacker gains Kernel level privileges. Infact an exploit involving a rare and highly expensive spyware has already been carried out in Middle east on an Apple user. The espionage software was discovered after Ahmed Mansoor, a prominent UAE dissident received a text message on his iPhone 6 asking him to click on a weblink. Having been a victim of a spyware in past Ahmed forwarded the text message to researchers at the Citizen Lab at the University of Toronto. Researchers at Citizen Lab worked together with a San-Francisco based mobile security firm Lookout. In a blogpost by Lookout, they described discovery of 3 Zero-day vulnerabilities which they have termed as “Trident”. The Citizen Lab traced the weblink that Ahmed received on his iPhone 6 to an Israel based “cyber war” company. The company named NSO group is known for selling the spyware product “Pegasus”.
The seriousness of these vulnerabilities is extremely high and have been confirmed the way Apple immediately released the iOS security update. While the widespread use of the malware is not known at the moment, but the vulnerabilities have been present for atleast last 3 years which could make the extent of damage being done around the world quite high. It is important to note that once a malware is installed in your phone upon visiting the malicious link it can have serious consequences. The malware can scan through your contacts, text messages, pictures and videos, and even surreptitiously record your conversations by switching on the microphone and upload all the details to the hacker at Command & Control server.
Click here to download the iOS security update.