Three zero-day vulnerabilities in Apple’s iOS mobile operating system are being exploited in the wild in targeted attacks. The vulnerabilities, collectively dubbed “Trident”, can be exploited by attackers to remotely jailbreak Apple iOS devices and install malware.
Q: How were the vulnerabilities discovered?
A: The vulnerabilities were disclosed on August 24 by Citizen Lab, who discovered an attempted attack against Ahmed Mansoor, a UAE-based human rights activist. Mansoor received suspicious SMS messages to his iPhone and handed the device over to Citizen Lab for investigation.
Q: What are the vulnerabilities found in iOS?
A: Trident consists of three related vulnerabilities:
- CVE-2016-4657 leads to arbitrary code execution if user visits a maliciously crafted website using the vulnerable device
- CVE-2016-4655 can lead an application to disclose kernel memory
- CVE-2016-4656 may allow an application to execute arbitrary code with kernel privileges
Q: How was Trident being exploited in the wild?
A: Citizen Lab found that the Trident vulnerabilities were being exploited to remotely jailbreak iOS devices and install spyware called Pegasus. Pegasus is capable of accessing messages, calls, and emails. It can also gather information from apps including Gmail, Facebook, Skype, and WhatsApp.
Q: What is Pegasus?
A: According to Citizen Lab, Pegasus is spyware developed by Israeli firm NSO Group. The company reportedly only sells its software to governments.
Q: How likely am I to be affected?
A: At present, it appears that Trident has only been used in a limited number of targeted attacks, meaning chances of being affected are low. However, as news of the vulnerabilities spread, it is likely that other groups will rush to exploit them.
Q: Is my Apple device vulnerable to Trident?
A: Any device running iOS versions 9.3.4 and below is vulnerable.
Q: What should I do to protect myself from attack?
A: Immediately update iOS to the latest version, 9.3.5.
Update – September 2, 2016:
Q: Is any other Apple software affected by Trident?
A: Apple has issued security updates for Safari 9 and OS X El Capitan and Yosemite which patch the Trident vulnerabilities.