This was patched yesterday
Not to be that guy, but 16.6.1 released yesterday has patched this vuln out.
Apple devices are again under attack, with a zero-click, zero-day vulnerability used to deliver Pegasus spyware to iPhones discovered in the wild. Even running the latest version of iOS (16.6) is no defence against the exploit, which involves PassKit attachments containing malicious images. Once sent to the victim's iMessage …
Not to be that other guy...
"Apple moved swiftly, assigning two CVEs to the exploit chain – CVE-2023-41064 and CVE-2023-41061 – and issuing updates for iOS and iPadOS"
"As for the latest exploits, the advice is to update your iOS and iPadOS devices immediately"
And despite all that, it was a zero-day exploit discovered in the wild. So still newsworthy, and a prompt reminder to patch. Despite having auto-updates on, mine hadn't done it yet - just done it manually.
What?
Guys, get real: the insecurity is the iMessage service itself !
Any information you send via Apple or Google or Microsoft is definitely getting read by artificially intelligent daemons trying to figure out how to steal your money or your vote or your stock tips or whatever else they can steal.
How many zero days does iMessage have to get before people stop blindly trusting Apple as "more secure"? Android isn't better but the fact that Apple not only intentionally disables SMS functionality for non Apple recipients (given the lack of regulatory attention, one could be forgiven for thinking apples actions are legal) but has also enabled professional spyware like the NSO groups (undoubtedly others as well) to assist their customers in spying primarily on innocent and vulnerable groups (what fraction of their sales goes to police forces operating with legal authority versus all the other users), I don't think I want any devices with iMessage or FaceTime on my network either. Not that I have much choice given all the friends, family and co workers that are certain Apple does security for them...
Many, many years ago there was NVIR. Which infected Mac apps running on an infected computer. Being nice, we added a bit of code that detected if our app was infected and showed an alert.
Our boss demonstrated the app at a major bank. It got infected instantly and showed an alert.
This wasn't an iMessage issue per se, it was an issue with the PassKit library sending passes (think tickets to concerts or sporting events) from one user's Apple Wallet to another. iMessage is how those passes are being transmitted, but if Apple had set up a way to send them via MMS or Signal the same vulnerability would have existed.
the fact that Apple not only intentionally disables SMS functionality for non Apple recipients
If they have date, they'll get it via iMessage which is richer in functionality, if they're offline it'll be SMS.
I don't see the "evil" here, sorry. Or did that mess up your fact-short narrative?
You do understand that's the definition of a "zero day" flaw, right? Apple also fixes stuff they discovered, and stuff others discovered, for which there is no evidence anyone has ever exploited it.
If you have some evidence that proves they knew about this exploit for years but ignored it because they are secretly supporting NSO Group, please share. You would have to be prepared for a lot of major media like NYT, WSJ, and so on requesting interviews with you about your bombshell report.
Don't dismiss his complaint so quickly. If Pegasus is from 2011 you could hope that systems fuzzing for vulnerabilities would take known actors into account. Read: if it is known that buffer overflows are a target, special consideration would be made, from programming to compilation to fuzzing, to check for this issue.
You could hope, but hope it seems is all that users have been getting. Pegasus was a known issue but no one thought to issue a fix, as BLASTPASS allowed the full installation AND activation of Pegasus without issue, meaning that the OS's only protection against Pegasus...was not to get infected in the first place.
The difference in the details is important.
Pegasus has been around since 2011 but has not been using this exploit the whole time! PassKit didn't even exist until 4-5 years ago IIRC.
Whenever Pegasus starts using a new exploit they know the clock is ticking before Apple finds out about it and closes the hole, and they will switch to another exploit they had already discovered or purchased that they've kept on ice now that Apple has closed this one.
That's why NSO Group goes to extreme lengths to limit how much their software can be used, and by whom. They make sure that they are selling to "legit" governments and law enforcement (in quotes because they don't care if they are terrible repressive governments, just that they are the actual terrible repressive government of country X rather than an imposter claiming to represent country X) and they make sure that it can only be installed on a small number of phones.
Because if Apple was able to masquerade as a customer, they would have a pipeline into all Pegasus updates and could close holes as quickly it was updated until NSO Group ran out, plus the more phones Pegasus spyware is installed on the greater the chance Apple or a security researcher will get their hands on it and reverse engineer the exploit.
No one reading this needs to worry about being hacked by these exploits, because NSO Group goes to great lengths to insure that only a few thousand people in the world in total will have Pegasus used against them.
Fast forward to where Apple flings about millions of dollars for someone detecting a flaw.
Ok
Bad guy now has choice of getting a million bucks and “helping America”, or less and hurting “America” Can you not envisage a scenario where this might still allow for zero days…?
Human motivation, while closely tied to money, is not exclusively so
but Apple could easily solve this issue by simply paying more as a bug-bounty than NSO does.
That assumes everything NSO uses was purchased on the open market, and that Apple has access to these "markets". Who knows how many exploits are discovered by e.g. state sponsored hackers for China or the US for that matter who later sell the exploit they found to NSO Group for some extra cash. They couldn't go to Apple and risk being exposed, but I'm sure NSO Group would be willing to pay under the table in ways Apple wouldn't like bitcoin or maybe even a briefcase filled with cash.
You're trying to put a positive spin on what is generally accepted as poor security behaviour by Apple. 0-day exploits are the only ones that are known about. NSO is only one of many possible actors searching for and potentially exploiting such issues and they all have a vested interest in keeping such issues quiet. As Apple seems to think so as well. There have been many reports of Apple not responding to reports in the hope that security through obscurity will help.
They should be learning from others (except Microsoft perhaps) in the software industry that have established procedures for reporting such issues, developing and providing patches and informing their users. Unfortunately, however, patch releases like this are the exception rather than the rule. Users normally have to wait for the more or less regular OS updates which often contained poorly documented information about patched flaws.
Software can't be perfect and exploits will always been found so it's essential to develop a culture that accepts this and policies to mitigate consequences as much as possible. Apple still has a long way to go in this respect.
What are you talking about? Apple releases patches quite regularly, they even instituted a special system for releasing security critical patches even faster when necessary. They create CVEs for every single issue, even ones they find themselves - which most companies do not do because it inflates their count.
They are not perfect, but they are better than most now which is quite an improvement over the past 5-6 years when they were not responding as quickly as they should, didn't have a bug bounty program, and so forth.
Pegasus spyware being around since 2011. Not much of a race /s
There was article couple of days ago about downloaders/droppers vs payloads . Comments said no one needed that explaining .
https://www.theregister.com/2023/08/28/top_malware_loaders/
Not sure the controversy on that post, finding a zero click buffer overflow in a front-line application like a SMS app/imessage feels pretty 20 years ago. One more example of putting too much attack surface on untrusted interfaces subject to the unwashed and unfiltered horror that is the internet. Bonus because it can be slipped in between the sheets of the end-to-end encryption preventing apple from easily blocking it, like the SMS string of doom from a few years back.
It's still an easy enough mistake to make in this era, but also one that robust code analysis tools should have shaken loose, and Apple has few excuses for missing them on things like iMessage or Safari.
As attacks get worse, don't be surprised if that bad image trick is exploitable from other services like safari or airdrop as well.