PSA: Apple releases iOS 9.3.5 to fix three critical security flaws

James Delahunty
25 Aug 2016 21:42

Apple has released iOS 9.3.5 to fix three critical security flaws that were linked to the attempted hacking of a human rights activist's iPhone.
On August 10, Ahmed Mansoor, a prominent human rights activity in the United Arab Emirates, began receiving suspicious text messages claiming to offer information about the torture of people in the UAE.
Mansoor was suspicious of the text messages and passed them to researchers at Citizen Lab, who confirmed it was an attempt to hack Mansoor's phone and track him, according to the New York Times.
Collaborating with Lookout, a mobile security firm located in San Francisco, they discovered that the spyware relied on three zero-day vulnerabilities in Apple's iOS software. These vulnerabilties were reported to Apple, and are all patched by iOS 9.3.5 which is available as an OTA update for all devices running iOS 9 right now.
The three vulnerabilities are very serious. The potential impact of any of the three vulnerabilities being exploited is as follows:

• CVE-2016-4655: An application may be able to disclose kernel memory
• CVE-2016-4656: An application may be able to execute arbitrary code with kernel privileges
• CVE-2016-4657: Visiting a maliciously crafted website may lead to arbitrary code execution

Sources and Recommended Reading:
About the security content of iOS 9.3.5: support.apple.com
IPhone Users Urged to Update Software After Security Flaws Are Found: www.nytimes.com