This article is more than 1 year old

Patch now: Apple emits fix for Pegasus spyware bugs in OS X, Safari

Vulns in iOS show up in shared code with desktop cousins

Those vulnerabilities last week that let government snoops monitor iPhones, iPads and iPods? Turns out they're present in desktop Safari and OS X, too – and Apple has quietly pushed out patches for them.

This isn't a big surprise because iOS and OS X, and mobile and desktop Safari, share big chunks of code, so flaws in Apple handhelds tend to turn up in Macs, and vice-versa.

The Safari patch is here, and patches for El Capitan and Yosemite are here. All can be installed via the usual software update mechanisms, and were made available on Thursday. These were patched in iOS last week.

The nasty trio of bugs – whose descriptions in Mitre's Common Vulnerabilities and Exposures database still focus on iOS – are:

  • CVE-2016-4564 – a hole in IOMobileFrameBuffer (found and fixed in Safari);
  • CVE-2016-4655 – which exposes kernel memory in the operating systems; and
  • CVE-2016-4656 – the third in the bug chain, that permitted arbitrary code execution.

The three programming blunders, documented by Citizen Lab and Lookout, have been traced to Israeli spookware outfit NSO Group and its Pegasus spyware kit. This surveillance software infects and hijacks devices by exploiting the above bugs when a victim taps a malicious link; from where it can monitor all aspects of the device owner's life.

And the same is possible on desktop Macs, too. So get patching. ®

More about


Send us news

Other stories you might like