iPhone Spyware Trident Exploit Chain

On August 25th, Apple released iOS 9.3.5, an update to iOS devices which addresses 3 CVEs known as the Trident Exploit Chain: 

CVE-2016-4655: Memory Corruption in Webkit – A vulnerability in the Safari WebKit that allows the attacker to compromise the device when the user clicks on a link. 

CVE-2016-4656: Information leak in Kernel – A kernel base mapping vulnerability that leaks information to the attacker allowing him to calculate the kernel’s location in memory. 

CVE-2016-4657: Kernel Memory corruption leads to Jailbreak – 32 and 64 bit iOS kernel-level vulnerabilities that allow the attacker to silently jailbreak the device and install surveillance software. 

 These vulnerabilities were used in combination in an attempt to deploy "lawful intercept" spyware onto the iPhone of a noted human rights campaigner in the UAE.  Specific details of this case can be found on Citizenlab

And a technical analysis and blog post can be found on Lookouts website.

Leviathan recommends that all iOS users update to 9.3.5 as soon as possible.  When a 0-day exploit of this kind is patched, a wide range of groups will embark on reverse engineering the patch to recreate the exploit for reuse.  The mean time from patch release to a recreated exploit is ever shortening meaning that the chance of encountering an attack in the wild becomes more and more likely as the exploit becomes more widely available.