Apple has released an urgent update to its desktop operating systems and the Safari web browser to block a hack that could have turned the machines into spying tools.
The security flaw affects the El Capitan and Yosemite Mac operating systems, and is the same that could have let hackers take complete control of iPhone devices, which Apple fixed with the iOS 9.3.5 update last week.
The Silicon Valley giant quietly released the update to the Mac software and Safari a week after its iPhone patch without addressing the delay.
Apple has urged customers with devices that are not running iOS 9.3.5, OS X 10.11.6 El Capitan and 10.10.5 Yosemite to update their software immediately to protect potential malicious actors from spying on them.
Described as the “most sophisticated spyware” ever seen, the hack exploits three software vulnerabilities, present across the devices because Apple reuses a lot of the same code, that could let a hacker take control over the compromised device with the tap of a finger.
Mobile security company Lookout and internet watchdog group Citizen Lab discovered the hack after a failed attempt to break into human rights activist Ahmed Mansoor’s iPhone using it.
When Mansoor received a suspicious text that said “New secrets about torture of Emiratis in state prisons” alongside a link, he forwarded the message to a researcher at Citizen Lab, who clicked on the link and analysed the hack as it unfolded.
Apple warned that visiting a “maliciously crafted website” in the Safari web browser could lead hackers use a similar method to install spy software on a computer.
Clicking the link on a phone or computer activates a piece of espionage software called “Pegasus” that can take advantage of a memory vulnerability in the iOS and OS X software to run two further exploits that can locate the kernel, the core of the operating system, and gain access to it.
Once inside the kernel, a malicious actor could read a users messages, access their bank details and track their location, among other things.
Israeli surveillance company NSO Group Technologies, which sells spying software to governments, is suspected of having created the exploit. The company claims to only sell its programs to “authorised governmental agencies, and fully complies with strict export control laws and regulations”.
How to protect yourself
To update your software on your computer go open the App Store -> Updates -> install Security Update 2016-001 10.11.16.
And if you are yet to update the software on your iPhone or iPad you can do so by going to Settings -> General -> Software Update and upgrade to iOS 9.3.5.