Apple yesterday issued an emergency security update for the Mac, patching the same trio of vulnerabilities the company fixed last week on the iPhone.
According to one of the groups that first revealed the flaws, the vulnerabilities could have been "weaponized" for use against OS X, the Mac's operating system.
The out-of-band update was aimed at OS X El Capitan (aka 10.11) and Yosemite (10.10), the 2015 and 2014 editions, respectively. Older versions, including 2014's OS X Mavericks, went unpatched: Apple is nearing the release of its annual Mac operating system upgrade and thus the end of support for the edition of three years ago.
Like the urgent update Apple released last week for the iPhone -- iOS 9.3.5 -- the Mac patches quash three bugs, two in the operating system's kernel and the third in the Safari browser.
According to reports from researchers at mobile security vendor Lookout and the Citizen Lab at the University of Toronto, the trio of bugs were used to spy on an activist in the United Arab Emirates by turning his iPhone into a surveillance tool. Citizen Labs pointed a finger at NSO Group, a shadowy Israeli company that allegedly sells vulnerabilities and spyware to governments, as the source of the flaws.
Prior to the disclosure last week, the vulnerabilities, pegged as "Trident" by Citizen Labs, were "zero-days," or unknown to Apple, and so extremely valuable on the black market.
The same bugs had to be patched on OS X as well as iOS, said Citizen Labs.
"The Trident vulnerabilities used by NSO could have been weaponized against users of non iOS devices, including OS X," the organization said Thursday in an update to its research. "We encourage all Apple users to install the update as soon as possible."
Apple published its usual terse summaries for the vulnerabilities on its website. Mac owners running El Capitan or Yosemite can update their systems by choosing "App Store" from the Apple menu, then selecting "Updates" from the row of icons at the top of the screen.
Sign up for Computerworld eNewsletters.