Comment by hnburnsy
2 years ago
>The resulting shellcode, in turn, went on to once again exploit CVE-2023-32434 and CVE-2023-38606 to finally achieve the root access required to install the last spyware payload.
Why isn't Apple detecting the spyware\malware payload? If only Apps approved by Apple are allowed on an iPhone, detection should be trivial.
And why has no one bothered to ask Apple or ARM about this 'unknown hardware'?
>If we try to describe this feature and how the attackers took advantage of it, it all comes down to this: they are able to write data to a certain physical address while bypassing the hardware-based memory protection by writing the data, destination address, and data hash to unknown hardware registers of the chip unused by the firmware.
And finally does Lockdown mode mitigate any of this?
I think Lockdown would help here since it doesn’t decode message attachments. So the original link in the chain (decoding a PDF) would be impossible.
As for detecting unauthorized apps, I would imagine that once you’ve taken over control of the OS kernel, it’s game over for such software-based restrictions. The Halting theorem guarantees such limitations to any software-based restriction. And as long as you can form a Turing complete mechanism from pieces of the computer, such software limitations will apply.
This chain isn’t delivered via an app, it is sent through iMessage. The checks for “only apps approved by Apple” are not relevant if you exploit your way past them.
Thanks I did see the researchers posted how the malware gets into memory, but I still feel like since Apple tightly controls the enviornment it ahould be able to detect anything running there that should not be.
It is very difficult to do this in general, especially for these kinds of exploits.
Apple does not control what photo, video or PDF gets sent to you via iMessage.
There is a PNG in the original article with detail of the malware gaining a foothold on a device:
https://cdn.arstechnica.net/wp-content/uploads/2023/12/trian...
As you can see, it starts with a PDF coming into iMessage, and that PDF has a font that is able to exploit ROP gadgets.
>Apple declined to comment for this article.
> >Apple declined to comment for this article.
Asshats
> Why isn't Apple detecting the spyware\malware payload? If only Apps approved by Apple are allowed on an iPhone, detection should be trivial.
Because Apple is busy fixing exploits discovered by Citizenlab. /s
But hey, Apple is secure.