Independent researchers tracked down malware sent to a Middle Eastern human-rights activist and alerted Apple, which patched three separate zero-day exploits.
Apple released an update to iOS 9 on Thursday—iOS 9.3.5—that patches multiple critical zero-day vulnerabilities that have been shown to already have been deployed, allegedly by governments to target activists and dissidents, according to a report from Citizen Lab and Lookout Security. Apple turned around an update within 10 days from when the company received Citizen Lab’s initial report. The update is recommended immediately for all iOS 9 devices.
Some of the exploits may have been discovered months ago or longer, so there’s no way to know how widely they’re in use, but details suggest these active exploits in previous versions of iOS 9 weren’t in wide use and were deployed against individual targets.
An Apple spokesperson said, “We were made aware of this vulnerability and immediately fixed it with iOS 9.3.5. We advise all of our customers to always download the latest version of iOS to protect themselves against potential security exploits.”
Jailbreaks have been demonstrated but not yet released for iOS 9.3.4, and it’s possible those jailbreaks relied on one or more aspects of the three flaws now patched.
To install the update on your iOS device, launch the Settings app, then tap General > Software Update. You also can update within iTunes with your device connected to your Mac.