Apple has issued an urgent security update to fix critical vulnerabilities in the laptop and desktop version of the Safari browser and the OS X operating system, which allowed sophisticated hackers to remotely take control of Apple computers.
The new fixes come a week after malware hunters caught government hackers trying to exploit unknown flaws in the iPhone's operating system to hack into the phones of a Dubai-based human rights activist and a Mexican journalist. Last week, Apple patched those vulnerabilities in an iOS update.
But as it turns out, those unknown flaws, or zero-days, also affected Safari and Apple's computer operating system OS X, given that the mobile and regular version of Safari share the same codebase. Apple quietly released the patch for Safari and for OS X on Thursday.
According to Apple's advisory, the vulnerability in Safari allowed hackers to execute arbitrary code on a victim's computer by tricking him or her into visiting "a maliciously crafted website." In simpler words, by tricking someone to clicking on a wrong link, hackers could then take over the victim's Mac computer.
This is the same technique that hackers using malware created by a shadowy Israeli surveillance vendor known as NSO Group, used in the attacks against the UAE dissident and the Mexican journalist.
"Not only could NSO infect iPhones at the touch of a link, but it seems that the vulnerabilities they were exploiting could be weaponized to target many different platforms," Bill Marczak, a senior researcher at Citizen Lab, told Motherboard.
The company credited Citizen Lab, a digital rights watchdog at the University of Toronto's Munk School of Global Affairs, and mobile security firm Lookout for discovering the flaw.
Researchers at Citizen Lab, with the help of Lookout, analyzed the NSO malware behind the attack on the UAE activist Ahmed Mansoor two weeks ago, and alerted Apple right away. They discovered that the malware leveraged three unknown zero-days to allow attackers to take full control of the iPhone, allowing what is essentially a remote jailbreak of the device.
"Not only could NSO infect iPhones at the touch of a link, but it seems that the vulnerabilities they were exploiting could be weaponized to target many different platforms."
Those same vulnerabilities could have been used against Mac users, and thanks to Apple's new patches, hackers won't be able to weaponize those bugs anymore.
"Kudos to apple for being proactive here. They are patching vulnerabilities that could have been weaponized against OS X users," John Scott-Railton, another senior researcher at Citizen Lab, told Motherboard. "In the end it goes back to Mansoor's vigilance. Here is someone whose willingness to share a single suspicous SMS with researchers is leading to improvements in the security for hundreds of millions."
Want more Motherboard in your life? Then sign up for our daily newsletter.