Thursday, August 25, 2016

Apple releases iOS 9.3.5 to block a sophisticated iPhone spy technique

Updated 2 September: It turns out that the same vulnerabilities exist in OS X for MacBooks and iMacs, and can be used to run malicious programs with kernel (i.e. the highest level) privileges. Apple released updates for OS X Yosemite and OS X El Capital on September 1. 

For El Capitan, the fix is Security Update 2016-001.
For Yosemite, the fix is Security Update 2016-005.

To check for Mac software updates, open the App Store app on your Mac, then click Updates in the toolbar. If updates are available, click the Update button to download and install them. If you don't have the App Store on your Mac, get OS X updates by choosing Software Update from the Apple menu.

Updated 26 August: Brief update - here is a link to the original (and in-depth) report by Citizen Lab, the firm that identified the vulnerabilities and ferreted out the origin of the attack.

When a mobile phone provider sends you an update for your phone, it's usually a good idea to install it. Sometimes it's a better idea than others.

This is one of those times: Apple just released an update for iPhones, fixing three very serious bugs that together have been exploited in secret to spy on apparent Middle Eastern targets. Through the flaws, merely clicking on a link can "jailbreak" an iPhone - defeating the security measures Apple has built in and giving the attacker complete control of the device (and any private information on the device).

Your iPhone will prompt you to update to iOS 9.3.5 very shortly. Do it.

Motherboard has an article describing how the flaw was discovered and how it was being used to spy on individuals.

The SANS Internet Storm Center has a concise description of the three flaws and how they work together to compromise a device.

Here is Apple's release bulletin for iOS, and Apple's release bulletin for OS X.

What do you need to do?

Open your iPhone or iPad's Settings tool and go to General -> Software Update in your device's Settings app, or connect to iTunes on your Mac or PC. If you are running iOS 9.3.5 (the latest update as of this writing), your device will show that it is up-to-date. If you are running an older version, your device will show an update is available. Install it!

Do you have something to add? A question you'd like answered? Think I'm out of my mind? Join the conversation below, reach out by email at david (at), or hit me up on Twitter at @dnlongen

Whois David?

My photo

I have spent the better part of two decades in information technology and security, with roots in application developer support, system administration, and network security. My specialty is cyber threat intelligence - software vulnerabilities and patching, malware, social networking risks, etc. In particular, I strive to write about complex cyber topics in a way that can be understood by those outside the infosec industry.

Why do I do this? A common comment I get from friends and family is that complex security topics give them headaches. They want to know in simple terms how to stay safe in a connected world. Folks like me and my peers have chosen to make a profession out of hacking and defending. I've been doing this for the better part of two decades, and so have a high degree of knowledge in the field. Others have chosen different paths - paths where I would be lost. This is my effort to share my knowledge with those that are experts in something else.

When not in front of a digital screen, I spend my time raising five rambunctious teens and pre-teens - including two sets of twins. Our family enjoys archery, raising show and meat rabbits, and simply enjoying life in the Texas hill country.

For a decade I served as either Commander or a division leader for the Awana Club in Dripping Springs, Texas; while I have retired from that role I continue to have a passion for children's ministry. At the moment I teach 1st through 3rd grade Sunday School. Follow FBC Dripping Springs Kids to see what is going on in our children's ministries.