Apple issues urgent iOS update after zero-day vulnerabilities were exploited in cyber attack on human rights lawyer

Vulnerabilities purchased on the open market used to attack user's iPhone

Apple has issued an urgent patch for the iOS operating system after a trio of zero-day vulnerabilities were reported to the computer giant.

The rushed update follows reports of an attempted cyber attack on a human rights lawyer by the security forces of a repressive regime, which was using exploits crafted by a specialist computer security company.

Apple was alerted to a "sophisticated" spyware threat affecting iOS after the target of the attack passed on the suspicious looking malware to security company Lookout and watchdog Citizen Lab, who informed Apple.

In response, Apple rushed out iOS 9.3.5 on Thursday, to patch the threats posed by three previously unknown vulnerabilities:

• CVE-2016-4655 - an input validation flaw that could allow iOS kernel memory contents to be viewed by an installed app;
• CVE-2016-4656 - a remote code execution from memory corruption flaw in the iOS kernel that can be exploited by an installed app;
• CVE-2016-4657 - a remote code execution flaw in WebKit that could enable an attacker to jailbreak and install malware on an iOS device by way of a specially crafted web page.

Lookout collectively calls the three zero-day vulnerabilities Trident, and warned that they could enable personal data to be accessed after simply opening a link sent in a text message.

"It infects a user's phone invisibly and silently, such that victims do not know they've been compromised," the company said.

The discovery was made after human rights lawyer Ahmed Mansoor alerted security researchers to unsolicited text messages he had received on his iPhone.

Following the link would have jailbroken his phone and infected it with malware capable of logging encrypted messages, activating the microphone and tracking the handset's movements.

The researchers believe that the spyware involved, dubbed Pegasus, was created by an Israeli 'cyber-war' outfit known as NSO Group.

"Pegasus is professionally developed and highly advanced in its use of zero-day vulnerabilities, code obfuscation and encryption," the researchers wrote.

"It uses sophisticated function-hooking to subvert operating system and application-layer security in voice/audio calls and apps including Gmail, Facebook, WhatsApp, FaceTime, Viber, WeChat, Telegram, Apple's built-in messaging and email apps, and others.

"It steals the victim's contact list and GPS location, as well as personal, Wi-Fi and router passwords stored on the device."

Apple is said to have fixed the faults 10 days after Lookout sounded the alarm.

"We were made aware of this vulnerability and immediately fixed it with iOS 9.3.5. We advise all our customers to always download the latest version of iOS to protect themselves against potential security exploits," the firm said in a statement.

Apple has also confirmed that the bugs were fixed in the latest versions of the iOS 10 public and developer betas pushed out last week.

It comes just weeks after the company belatedly established its own 'bug bounty' programme, intended to persuade hackers who find flaws in the company's operating systems to sell them to Apple, rather than selling them to the highest bidder.