Apple, today, released patches for a trio of iOS zero-day vulnerabilities that, when used together, enable an attacker to remotely, silently jailbreak the device phone and install highly sophisticated spyware upon it.
The vulnerabilities, collectively called "Trident," are patched in iOS version 9.3.5. They include CVE-2016-4655, Memory Corruption in Webkit, CVE-2016-4656, Information leak in Kernel, and CVE-2016-4657, Kernel Memory corruption leads to Jailbreak.
The discovery was made by Lookout and Citizen Lab, who worked with Apple on the patch before making the disclosure. Citizen Lab was tipped off to the bugs first by United Arab Emirates-based human rights defender Ahmed Mansoor, who reported that he had received suspicious text messages. Citizen Lab and Lookout investigated, and found that Mansoor -- who has been targeted by "lawful intercept malware" in the past -- was now being targeted by Francisco Partners Management's Pegasus spyware product, which was now equipped to exploit this trio of undisclosed iOS zero-day vulnerabilities.
For more information, see the blog at Lookout.