The just-released iOS 9.3.5 update patches three major security vulnerabilities, reports The New York Times. Apple was alerted to the flaws just 10 days ago by security researchers Bill Marczak and John Scott Railton, and is urging users to update.
Investigators discovered that Israeli-based digital arms dealer NSO Group was using the exploits in software it sells that can track smartphones. The program can read texts and emails, track calls and location, and can record sounds and passwords.
In interviews and manuals, the NSO Group’s executives have long boasted that their spyware worked like a “ghost,” tracking the moves and keystrokes of its targets, without leaving a trace. But until this month, it was not clear how exactly the group was monitoring its targets, or who exactly it was monitoring.
A clearer picture began to emerge on Aug. 10, when Ahmed Mansoor, a prominent human rights activist in the United Arab Emirates, who has been tracked by surveillance software several times, began receiving suspicious text messages. The messages purported to contain information about the torture of U.A.E. citizens.
In the release notes for iOS 9.3.5, Apple identifies the vulnerabilities as two kernel bugs that allow an application to execute arbitrary code with kernel privileges and disclose kernel memory, and a webkit bug involving arbitrary code execution.
As we said earlier, those running on jailbroken devices should avoid updating to iOS 9.3.5.