Most active commenters
  • TekMol(3)

←back to thread

Apple Confirms Zero-Day Attacks Hitting macOS Systems

(www.securityweek.com)
262 points fortran77 | 11 comments | 20 Nov 24 00:26 UTC | HN request time: 0.74s | source | bottom
Show context
TekMol ◴[20 Nov 24 07:13 UTC] No.42191458[source]
The article sounds like it also applies to iOS

    The company urged users across the Apple
    ecosystem to apply the urgent iOS 18.1.1,
    macOS Sequoia 15.1.1 and the older iOS 17.7.2.
And that it is web based

    maliciously crafted web content may lead
    to arbitrary code execution
Has this happened before? That iPhones had a security hole that could be exploited over the web?
replies(5): >>42191532 #>>42191533 #>>42191570 #>>42191597 #>>42192845 #
1. e28eta ◴[20 Nov 24 07:25 UTC] No.42191532[source]
Absolutely. I don’t follow the scene, but early in the iphone’s product life I distinctly remember a web-based jailbreak, where you loaded a page and then you could ‘slide to jailbreak’. I don’t know if user action was strictly required, or if it was a UX thing.
replies(1): >>42192094 #
2. TekMol ◴[20 Nov 24 09:16 UTC] No.42192094[source]
Shouldn't that lead to a massive amount of iPhones being broken into?

If not, why?

If so, what happened to all those phones?

I never hear stories like "My iPhone was broken into and this happened: ..."

replies(4): >>42192219 #>>42192481 #>>42192531 #>>42192745 #
3. TheDong ◴[20 Nov 24 09:38 UTC] No.42192219[source]
Why would it?

Do you regularly visit "hot-iphone-porn-apps.info" and other untrusted sites? Do you expect sites you do visit, like "google.com" or such, are going to serve up malware?

Do you expect hackers who build these very labor-intensive exploit chains will want to try and hit as many low-value targets as possible, leading to apple patching the exploit quickly, or to try and hit high-value targets only so it's not noticed by apple as quickly and can be used against more high-value targets to make more money in total than doing a "spray and pray" with it?

What thought process do you think would lead to using the exploit against as many people as possible vs selling it to zerodium.com or a similar company for more money than you can get from spraying, and then zerodium reselling it to israel to hack into the iphones of a few key palestinians?

replies(3): >>42192501 #>>42193156 #>>42193646 #
4. phillypham ◴[20 Nov 24 10:20 UTC] No.42192481[source]
It used to be possible to break into iPhones by sending just a text message without the target clicking on anything.

The only thing that kept this under control was there was an agreement to not target US-based numbers and the exploit was expensive.

Reference: The Battle for the World’s Most Powerful Cyberweapon https://www.nytimes.com/2022/01/28/magazine/nso-group-israel... and https://en.wikipedia.org/wiki/Pegasus_(spyware)

replies(1): >>42192761 #
5. TekMol ◴[20 Nov 24 10:23 UTC] No.42192501{3}[source]
You are implying that the web based exploits in the history of iOS were not publicly known but only available to very few.

If that holds true, that would be an importent addition to the discussion.

The comment I replied to was about a public website that could jailbreak an iPhone though.

6. throwaway290 ◴[20 Nov 24 10:27 UTC] No.42192531[source]
How are you sure your phone was not broken into? Do you think some big alert magically appears?
7. pwagland ◴[20 Nov 24 11:05 UTC] No.42192745[source]
Because most people apply the software updates at some point, and this was fixed many years ago. Everything sold in the last years comes with a version of iOS that isn't vulnerable anymore.
8. pwagland ◴[20 Nov 24 11:08 UTC] No.42192761{3}[source]
Not quite, from the Wikipedia:

> Pegasus' iOS exploitation was identified in August 2016. Emirati human rights defender Ahmed Mansoor received a text message promising "secrets" about torture happening in prisons in the United Arab Emirates by following a link. Mansoor sent the link to Citizen Lab of the University of Toronto, which investigated, with the collaboration of Lookout, finding that if Mansoor had followed the link it would have jailbroken his phone and implanted the spyware into it, in a form of social engineering.

So the link was sent via text message, but you had to click on it. Receiving the text message did nothing in and of itself.

replies(1): >>42192930 #
9. phillypham ◴[20 Nov 24 11:38 UTC] No.42192930{4}[source]
Initial versions were one-click. The attack became more sophisticated and became zero-click.

See https://en.wikipedia.org/wiki/Pegasus_(spyware)#Development_... for timeline.

See https://en.wikipedia.org/wiki/Pegasus_(spyware)#Saudi_Arabia for the iMessage version.

10. ceejayoz ◴[20 Nov 24 12:09 UTC] No.42193156{3}[source]
> Do you expect sites you do visit, like "google.com" or such, are going to serve up malware?

Absolutely. One of the main reasons to run an adblocker. Malicious ads slip through regularly onto entirely reputable sites.

11. acdha ◴[20 Nov 24 13:12 UTC] No.42193646{3}[source]
> Do you expect sites you do visit, like "google.com" or such, are going to serve up malware?

With absolute certainty. Google ads has triggered downloads of Windows executables on NYtimes.com for me before and I am confident attackers will keep trying. The idea that advertisers get to run JavaScript on clients makes that problem effectively unwinnable even though they spend considerable amounts trying to make it hard to slip dodgy code into ads.