Grant

Ian Beer & Samuel Groß (Hacker News):

Based on our research and findings, we assess this to be one of the most technically sophisticated exploits we’ve ever seen, further demonstrating that the capabilities NSO provides rival those previously thought to be accessible to only a handful of nation states.

The vulnerability discussed in this blog post was fixed on September 13, 2021 in iOS 14.8 as CVE-2021-30860.

[…]

Using this “fake gif” trick, over 20 image codecs are suddenly part of the iMessage zero-click attack surface, including some very obscure and complex formats, remotely exposing probably hundreds of thousands of lines of code.

My question answered: iMessage was calling into ImageIO from outside of the Blast Door sandbox.

The CoreGraphics PDF parser doesn’t seem to interpret javascript, but NSO managed to find something equally powerful inside the CoreGraphics PDF parser…

[…]

As mentioned above, the substitution based compression output is lossy. After a round of compression and decompression the rendered output doesn’t look exactly like the input. But JBIG2 also supports lossless compression as well as an intermediate “less lossy” compression mode. […] Rather than completely encoding the entire difference in one go, it can be done in steps, with each iteration using a logical operator (one of AND, OR, XOR or XNOR) to set, clear or flip bits. Each successive refinement step brings the rendered output closer to the original and this allows a level of control over the “lossiness” of the compression. The implementation of these refinement coding steps is very flexible and they are also able to “read” values already present on the output canvas.

[…]

The heap groom also places the current page’s backing buffer just below the undersized syms buffer, such that when the page JBIG2Bitmap is unbounded, it’s able to read and write its own fields[…]

[…]

JBIG2 doesn’t have scripting capabilities, but when combined with a vulnerability, it does have the ability to emulate circuits of arbitrary logic gates operating on arbitrary memory. So why not just use that to build your own computer architecture and script that!? That’s exactly what this exploit does. Using over 70,000 segment commands defining logical bit operations, they define a small computer architecture with features such as registers and a full 64-bit adder and comparator which they use to search memory and perform arithmetic operations.

Matthew Green:

I got to this part in the exploit description and it stopped being an exploit, became something more like art.

Previously:

• Apple Sues NSO Group
• Zero-click iMessage Attacks
• Through the Blast Door

'Our community does not appreciate being experimented on' says Kroah-Hartman

Updated Computer scientists at the University of Minnesota theorized they could sneak vulnerabilities into open-source software – but when they tried subverting the Linux kernel, it backfired spectacularly.…

Microsoft has unveiled the specifications of its upcoming Xbox Series X gaming console.

South Africa's Deputy President Cyril Ramaphosa confirmed at the National Assembly on Thursday (12 Nov 2015) that "minors travelling from visa-exempt countries will no longer need to produce an unabridged birth certificate and parental consent at South Africa's ports of entry. However, they will be required to provide documentation proving the relationship between them and the parent or guardian that they will be travelling with when entering South Africa. He further said it is strongly advised that minors should always travel with a proof of relationship and consent from absent parents or guardians in case they are asked to produce them at random.
No unabridged certificate for visa exempt countries
South Africam Tourism has released an infographic summarising the amendments made to South Africa's visa rules.