Comment by cedws
2 years ago
>This attachment exploits vulnerability CVE-2023-41990 in the undocumented, Apple-only TrueType font instruction ADJUST for a remote code execution. This instruction existed since the early 90’s and the patch removed it.
This is getting ridiculous. How many iMessage exploits have there now been via attachments? Why aren't Apple locking down the available codecs? Why isn't BlastDoor doing its job?
This is really disappointing to see time and time again. If a simple app to send and receive messages is this hard to get right, I have very little hope left for software.
If I've read the rest of the documentation correctly, the exploit is actually triggered from an attached ".watchface" file, which of course, has the font vulnerability in it.
I'd like to meet the person who suggested even sending .watchface files as iMessage attachments in the first place. What were you thinking? Did you not have a large enough attack surface already?
Well, at least the file extension honestly warns you that the file might watch after your face.
If I were an embassy employee (covert or overt), I'd want zero iMessage features beyond ASCII and the thumbs-up/down reactions. No attachments, no GIFs, no games, no Apple Pay, no easter eggs, no rich text
Apple really needs a paranoid mode
Lockdown mode exists: https://support.apple.com/en-us/105120
you can't use this with MDM unfortunately, so useless for govts, corporations, etc.
iOS has a reputation for having the best security, but how many times have Android/WhatsApp had these sorts of silent-instant-root exploits via invisible messages? I don't remember it happening. Maybe the strategy of writing lots of stuff in Java is paying off there.
Android has had zero click exploits. For example, Stagefright [1]
And even better, there are plenty of old Android phones out which will be vulnerable to various exploits because of weak OTA update support policies.
[1] https://en.wikipedia.org/wiki/Stagefright_(bug)
Sigh…there has never been an 0day Stagefright exploit in the wild. And even if there was it wouldn’t have worked on all Android devices due to the OS differences among OEMs.
Also, there are plenty of old iPhones that do not receive updates anymore and are just as vulnerable so I’m not sure why you needed to get that in.
What’sapp has had exploits. See https://gbhackers.com/new-whatsapp-0-day-vulnerabilities/amp...
Yes, but that wasn't a zero day. WhatsApp's own team found that, and it wasn't a zero-click exploit, you had to be in a video call with the attacker.
i wonder why attachments would ever be loaded from unknown contacts