• For adults, what do you think about Apple's strategy of letting the hac

    From Wally J@21:1/5 to All on Thu Dec 28 01:21:33 2023
    XPost: misc.phone.mobile.iphone, comp.sys.mac.system

    The iKooks understand nothing and defend everything; but this latest
    exploit pattern shows there's a rampant lack of testing in Cupertino.

    The recent hardware exploit was apparently being exploited for years,
    where Apple only patched it after researchers reported the exploit to Apple (where, let's be clear, the malevolent agents are not going to be doing).

    *But if you look at the seriousness of this one - holy cow!*

    It's bad.
    Apple effectively has no testing whatsoever... based on what this showed.

    As an adult, doesn't that bother you?
    Even for iKooks, it should bother them that Apple only advertises safety.

    Apple has so many holes in iOS that the exploit below shows, that you
    should probably consider throwing that toxic iPhone over the next bridge.

    It's that bad. Read the exploit. Jesus Christ. It's shocking even to me.

    The adult question is...

    Given Apple's zero-day holes are two to three times the other platform,
    and given iOS' exploits in the wild are more than ten times more,
    what do you think of Apple's propensity to let others do their testing for them?

    There are zero day holes piled up on more zero day holes piled up on
    even more zero day holes - which allowed these exploits to occur, apparently for years on end (using _many_ zero-day holes that Apple never tested against).

    I already know the iKooks will scream that Apple patched this one exploit _after_ it was already exploited in the wild (it seems, for years)... but
    it's not interesting what iKooks think (because iKooks don't own brains).

    The iKooks understand nothing and defend everything; but this latest
    exploit pattern shows there's a rampant lack of testing in Cupertino.

    For reference, take a look at this analysis below of the exploit.
    Since iKooks deny everything about Apple that they hate (which turns
    out, is almost everything about Apple), it's completely verbatim.

    <https://securelist.com/operation-triangulation-the-last-hardware-mystery/111669/>

    Operation Triangulation' attack chain
    Here is a quick rundown of this 0-click iMessage attack, which used
    *four zero-days* and was designed to work on iOS versions up to iOS 16.2.

    Attackers send a malicious iMessage attachment, which the application
    processes without showing any signs to the user.

    This attachment exploits the remote code execution vulnerability
    CVE-2023-41990 in the undocumented, Apple-only ADJUST TrueType font
    instruction. This instruction had existed since the early nineties
    before a patch removed it.

    It uses return/jump oriented programming and multiple stages written
    in the NSExpression/NSPredicate query language, patching the JavaScriptCore
    library environment to execute a privilege escalation exploit written in
    JavaScript.

    This JavaScript exploit is obfuscated to make it completely unreadable
    and to minimize its size. Still, it has around 11,000 lines of code,
    which are mainly dedicated to JavaScriptCore and kernel memory parsing
    and manipulation.

    It exploits the JavaScriptCore debugging feature DollarVM ($vm) to gain
    the ability to manipulate JavaScriptCore's memory from the script and
    execute native API functions.

    It was designed to support both old and new iPhones and included a Pointer
    Authentication Code (PAC) bypass for exploitation of recent models.

    It uses the integer overflow vulnerability CVE-2023-32434 in XNU's memory
    mapping syscalls (mach_make_memory_entry and vm_map) to obtain read/write
    access to the entire physical memory of the device at user level.

    It uses hardware memory-mapped I/O (MMIO) registers to bypass the Page
    Protection Layer (PPL). This was mitigated as CVE-2023-38606.

    After exploiting all the vulnerabilities, the JavaScript exploit can do
    whatever it wants to the device including running spyware, but the
    attackers chose to: (a) launch the IMAgent process and inject a payload
    that clears the exploitation artefacts from the device; (b) run a Safari
    process in invisible mode and forward it to a web page with the next stage.

    The web page has a script that verifies the victim and,
    if the checks pass, receives the next stage: the Safari exploit.

    The Safari exploit uses CVE-2023-32435 to execute a shellcode.

    The shellcode executes another kernel exploit in the form of a Mach
    object file. It uses the same vulnerabilities: CVE-2023-32434 and
    CVE-2023-38606. It is also massive in terms of size and functionality,
    but completely different from the kernel exploit written in JavaScript.
    Certain parts related to exploitation of the above-mentioned
    vulnerabilities are all that the two share. Still, most of its code
    is also dedicated to parsing and manipulation of the kernel memory.

    It contains various post-exploitation utilities, which are mostly unused.

    The exploit obtains root privileges and proceeds to execute other stages,
    which load spyware. We covered these stages in our previous posts.
    --
    The iKooks understand nothing and defend everything; but this latest
    exploit pattern shows there's a rampant lack of testing in Cupertino.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Tyrone@21:1/5 to All on Fri Jan 19 15:42:09 2024
    XPost: comp.sys.mac.system, misc.phone.mobile.iphone

    On Dec 28, 2023 at 12:21:33 AM EST, "Wally J" <walterjones@invalid.nospam> wrote:

    A bunch of drivel.

    The facts are, "This currently affects Apple, Qualcomm, AMD, and Imagination GPUs but not Nvidia and ARM, as confirmed by Trail of Bits. "

    And it is a GPU issue, not a CPU issue. Do you EVER get ANYTHING right?

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Your Name@21:1/5 to Tyrone on Sat Jan 20 09:47:45 2024
    XPost: misc.phone.mobile.iphone, comp.sys.mac.system

    On 2024-01-19 15:42:09 +0000, Tyrone said:
    On Dec 28, 2023 at 12:21:33 AM EST, "Wally J" <walterjones@invalid.nospam> wrote:

    A bunch of drivel.

    It always is from the know-nothing anti-Apple trolls. :-\



    The facts are, "This currently affects Apple, Qualcomm, AMD, and Imagination GPUs but not Nvidia and ARM, as confirmed by Trail of Bits. "

    And it is a GPU issue, not a CPU issue. Do you EVER get ANYTHING right?

    It also does not affect Intel GPUs (although they only tested *one*),
    so those of us with older Macs with the integrated Intel GPU apparently
    don't have the issue.

    Of course, like all other malware, it's basically theoretical and won't
    be seen by anyone in the real world ... just the scaremongering world
    of anti-malware sellers and anti-Apple trolls.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From WolfFan@21:1/5 to Your Name on Sat Jan 20 15:24:10 2024
    XPost: misc.phone.mobile.iphone, comp.sys.mac.system

    On Jan 19, 2024, Your Name wrote
    (in article <uoen5h$3a1ue$1@dont-email.me>):

    On 2024-01-19 15:42:09 +0000, Tyrone said:
    On Dec 28, 2023 at 12:21:33 AM EST, "Wally J" <walterjones@invalid.nospam>
    wrote:

    A bunch of drivel.

    It always is from the know-nothing anti-Apple trolls. :-\

    The facts are, "This currently affects Apple, Qualcomm, AMD, and Imagination
    GPUs but not Nvidia and ARM, as confirmed by Trail of Bits. "

    And it is a GPU issue, not a CPU issue. Do you EVER get ANYTHING right?

    It also does not affect Intel GPUs (although they only tested *one*),
    so those of us with older Macs with the integrated Intel GPU apparently
    don't have the issue.

    Of course, like all other malware, it's basically theoretical and won't
    be seen by anyone in the real world ... just the scaremongering world
    of anti-malware sellers and anti-Apple trolls.

    In times past I saw some actual real malware: Scores, WDEF, nVIR. I also encountered, more recently, the AutoStart Worm. (Well, it was more recent
    than Scores or WDEF or nVIR. Just not very recent.) In times closer to the present, but still quite a while back, I made quite a bit of money resquing some Mac users (and a whole lot of Windows users) from the fake FBI ‘virus’. I haven’t seen live Mac malware since then. (Lots of Windows malware, though.)

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)