Apple Releases iOS 9.3.5 With Fix for Three Critical Vulnerabilities Exploited by Hacking Group
Apple today released an iOS 9.3.5 update for the iOS 9 operating system, almost a month after releasing iOS 9.3.4 and a few weeks before we expect to see the public release of iOS 10, currently in beta testing.
iOS 9.3.5 is available immediately to all devices running iOS 9 via an over-the-air update.
iOS 9.3.5 is likely to be the last update to the iOS 9 operating system, introducing final bug fixes, security improvements, and performance optimizations before iOS 9 is retired in favor of iOS 10. iOS 9.3.4, the update prior to iOS 9.3.5, included a critical security fix patching the Pangu iOS 9.3.3 jailbreak exploit. iOS 9.3.5 features major security fixes for three zero-day exploits and should be downloaded by all iOS users right away.
According to The New York Times the three security vulnerabilities patched in the update were exploited by surveillance software created by NSO Group to jailbreak an iPhone and intercept communications.
In an overview of the exploits, security firm Lookout says NSO Group's spyware software, nicknamed "Pegasus," was highly sophisticated, installing itself through a link sent via a text message.
The exploit was initially discovered on August 11 after human rights defender Ahmed Mansoor received a suspicious link and sent it to Citizen Lab and Lookout. Had Mansoor clicked the link, it would have jailbroken his iPhone and installed "sophisticated malware" able to intercept phone calls, text messages, FaceTime calls, email, and more.
Pegasus is the most advanced attack Lookout has seen because it is customizable, can track a range of things, and uses strong encryption to avoid detection. Lookout believes "Pegasus" had been in the wild for quite some time before it was discovered, with some evidence dating back to iOS 7.
Citizen Lab and Lookout informed Apple of the vulnerabilities and the company worked quickly to implement a fix, patching the exploits in just 10 days.