OS X patched against 'Pegasus' spyware exploits

Apple has revealed that bugs in iOS that were exploited by spyware utilised by repressive regimes to target dissidents and journalists are also present in its OS X desktop operating system.

The company today issued a security patch for OS X 10.11.6 "El Capitan" and 10.10.5 "Yosemite" that fixes two zero-day vulnerabilities.

CVE-2016-4655 and CVE-2016-4656 were patched last week by Apple in the 9.3.5 update for its iOS mobile operating system. They allow attackers to read OS X kernel memory and execute arbitrary code with full system privileges, Apple said.

Security vendor Lookout together with researchers from University of Toronto's Citizen Lab are credited with finding the bugs in iOS and OS X.

The zero-days were included in the Pegasus spyware made by American-owned Israeli company NSO Group, which specialises in kernel-level exploitation.

Citizen Lab came across the spyware after a United Arab Emirates human rights activist was targeted through a text message that tried to trick him into clicking on a link that would deliver Pegasus to his device.

An infection with Pegasus fully compromises devices. Attackers are able to access voice and text messages from a range of apps, along with log files, emails and other data stored on systems.

Apple also patched a memory corruption bug in the Webkit rendering engine used by the Safari browser, also found by Citizen Lab and Lookout.

The patch applies to the older OS X 10.9.5 "Mavericks" version of the operating system as well as Yosemite and El Capitan. It plugs a vulnerability that could allow websites to run arbitrary code in drive-by attacks on visitors' computers.

Tthe bug was fixed in the earlier iOS 9.3.4 update.