Apple released an update to IOS 9 today that included a patch for a serious security vulnerability. The new version 9.3.5 fixes some other minor bugs in IOS but apple has warned its users to update immediately. The new attack exploits three previously unknown vulnerabilities in the IOS firmware.
Earlier this month a Emirati human rights advocate named Mansoor received a text promising new details of torture in the UAE (United Arab Emirates). The text included a link that if followed would jail break the Iphone and install malware that logs encrypted messages, activates the microphone and tracks your location.
Citizen Lab and Lookout Security disclosed the vulnerabilities after receiving the information directly from Mansoor then reporting them to Apple for a fix. The exploits are the first time we have seen remote code execution for IOS in the wild. Citizen Lab attributed the exploit to the private Israeli spyware company NSO group.
Apple has recently launched a bug bounty after private brokers with malicious intent started offering large sums of money for new exploits. Apple offers up to $200,000 for vulnerabilities that break the secure boot firmware. This attack is just another example why companies need to offer an intensive to disclose vulnerabilities with them first.