A week after patching the three spyware bugs in iOS that enabled the Pegasus cyberweapon exploit, Apple has patched...
those same vulnerabilities in OS X and Safari. Apple's desktop software, which shares code with iOS, also shared the vulnerabilities exploited by Pegasus.
The Pegasus remote exploit chained three zero-day vulnerabilities, and was discovered after it was deployed unsuccessfully by the United Arab Emirates government against human rights activist Ahmed Mansoor last month.
The exploit code was offered to governments by the NSO Group, the Israeli cyberweapons dealer, as lawful intercept spyware for surveilling high-value targets. Pegasus allowed governments to remotely jailbreak a victim's iPhone, install malware and access and control virtually all data on the victim's device.
The spyware bugs in OS X, patched here by Apple in OS X El Capitan and Yosemite, include CVE-2016-4655, an information leak in the kernel, described as a "kernel base mapping vulnerability that leaks information to the attacker, allowing him to calculate the kernel's location in memory," and CVE-2016-4656, a kernel memory corruption vulnerability that enables jailbreaking and encompasses "kernel-level vulnerabilities that allow the attacker to silently jailbreak the device and install surveillance software." CVE-2016-4657 is a memory corruption vulnerability in Safari WebKit that allows the attacker to compromise the device when the user clicks on a link to a malicious website; Apple's patch for Safari is here.
In other news
- One of the foundations of network security -- the security of air gapped computers and networks -- was proven vulnerable by a team of Israeli researchers who published their work on USBee, software that can turn a stock USB device connected to an air gapped computer into an RF transmitter.
The proof of concept code USBee can be used for transmitting binary data from an unmodified USB device to a nearby receiver, the researchers wrote, although only at a bandwidth of between 20 to 80 bytes per second.
The research team from Ben-Gurion University of the Negev, in Beersheba, Israel, included Yuval Elovici, professor at the Department of Information Systems Engineering, and security researchers Mordechai Guri and Matan Monitz.
- A new variant of the Locky ransomware has been spotted being downloaded as encrypted dynamic-link library (DLL files), according to Trend Micro threats analyst Brooks Li, who wrote: "Using a DLL file in this way represents an attempt to try and evade behavior monitoring features that are now part of modern endpoint security products. Running as a DLL prevents a new process from being started, making it harder to detect. Other ransomware families (like CrypMIC/CryptXXX) have used this tactic as well, although for Locky, this is new."
- Fairware "ransomware" isn't really ransomware, but it wants victims to believe that sending two bitcoins will cause files to reappear on targeted Linux systems. Lawrence Abrams, founder of BleepingComputer.com, reported that the malware was deleting files and demanding ransom, and Duo Labs later found the malware was propagating through insecure instances of Redis, the open source data structure store software used for database, cache and message brokering.
- Fantom, another tricky piece of ransomware posing as a Windows update, was reported over Twitter by Jakub Kroustek, reverse engineer and malware analyst at AVG:
"The Fantom ransomware uses an interesting feature of displaying a fake Windows Update screen that pretends Windows is installing a new critical update," wrote BleepingComputer.com's Lawrence Abrams. "In the background, though, Fantom is secretly encrypting a victim's files without them noticing."
Find out more about open source Redis, database software that enables a highly scalable data store.