21 comments

[ 2.6 ms ] story [ 69.4 ms ] thread
> Apple is aware of a report that this issue may have been actively exploited.

> CVE-2023-41061: Apple

So if Apple discovered this bug, and Apple saw it exploited in the wild, the question needs to be asked... How did Apple find it in the wild? Was one of their own employees phished? Do they have monitoring on every phone to upload suspicious binaries running as root to the mothership?

> Last week, while checking the device of an individual employed by a Washington DC-based civil society organization with international offices, Citizen Lab found an actively exploited zero-click vulnerability being used to deliver NSO Group’s Pegasus mercenary spyware.

https://citizenlab.ca/2023/09/blastpass-nso-group-iphone-zer...

Good ol pegasus they keep being on the news about spyware
(comment deleted)
iOS can send diagnostic logs and crash reports. If the exploit crashed the app instead of running successfully, then that would likely appear in the report. Unusual stack traces can indicate RCE or other exploits.
I'm not sure who needs to ask that question. Apple gets critical vulnerability reports and investigates them.
But normally they wouldn't attribute themselves if the initial report was from an external source.
Depends on the source. If the Citizen lab didn't find it, Apple would have not patched it.
iMessage passes through their servers so I would not be surprised if they look for anomalous senders or whatever other metadata isn’t encrypted, and they can correlate that with things like crash dumps or potentially other unusual activity by the recipient.
(comment deleted)
What about those that are running the iOS 17 developer beta?
I also wonder. No updates yet.
In general, are these exploits in memory only? If I reboot my phone, is that likely to impact anything? Or is it usually possible to persist them to the file system?
You have secure chain of boot so you can't launch the malicious stuff on boot.

But - this doesn't prevent you once you have root to modify some app and system settings for the phone to reinfect itself eventually (proxies, vpn, who knows what)

(comment deleted)
In general they are in memory only. However, if the exploit is from iMessage parsing an image, this may happen whenever you run the app.

Regardless, persistence is hard, which is why NSA and others recommend shutting off your phone at least once per week.

Serious question, if the NSO group is actively creating spyware - how have we not sanctioned them?

Heck this would probably need to be escalated to threaten the host country of the company with consequences if they're giving safe haven to a known bad actor.

We have. They’re on the “entity list” which bars US corps from supplying them. It’d be politically… difficult to say the least to sanction Israel.
After the update my iPhone suddenly complained that my iCloud storage was full although I hadn’t uploaded anything new. Kinda strange.