From Newsgroup: comp.sys.mac.apps

The iKooks understand nothing and defend everything; but this latest
exploit pattern shows there's a rampant lack of testing in Cupertino.

The recent hardware exploit was apparently being exploited for years,
where Apple only patched it after researchers reported the exploit to Apple (where, let's be clear, the malevolent agents are not going to be doing).

*But if you look at the seriousness of this one - holy cow!*

It's bad.
Apple effectively has no testing whatsoever... based on what this showed.

As an adult, doesn't that bother you?
Even for iKooks, it should bother them that Apple only advertises safety.

Apple has so many holes in iOS that the exploit below shows, that you
should probably consider throwing that toxic iPhone over the next bridge.

It's that bad. Read the exploit. Jesus Christ. It's shocking even to me.

The adult question is...

Given Apple's zero-day holes are two to three times the other platform,
and given iOS' exploits in the wild are more than ten times more,
what do you think of Apple's propensity to let others do their testing for them?

There are zero day holes piled up on more zero day holes piled up on
even more zero day holes - which allowed these exploits to occur, apparently for years on end (using _many_ zero-day holes that Apple never tested against).

I already know the iKooks will scream that Apple patched this one exploit _after_ it was already exploited in the wild (it seems, for years)... but
it's not interesting what iKooks think (because iKooks don't own brains).

The iKooks understand nothing and defend everything; but this latest
exploit pattern shows there's a rampant lack of testing in Cupertino.

For reference, take a look at this analysis below of the exploit.
Since iKooks deny everything about Apple that they hate (which turns
out, is almost everything about Apple), it's completely verbatim.

í° <https://securelist.com/operation-triangulation-the-last-hardware-mystery/111669/>

Operation Triangulation' attack chain
Here is a quick rundown of this 0-click iMessage attack, which used
*four zero-days* and was designed to work on iOS versions up to iOS 16.2.

Attackers send a malicious iMessage attachment, which the application
processes without showing any signs to the user.

This attachment exploits the remote code execution vulnerability
CVE-2023-41990 in the undocumented, Apple-only ADJUST TrueType font
instruction. This instruction had existed since the early nineties
before a patch removed it.

It uses return/jump oriented programming and multiple stages written
in the NSExpression/NSPredicate query language, patching the JavaScriptCore
library environment to execute a privilege escalation exploit written in
JavaScript.

This JavaScript exploit is obfuscated to make it completely unreadable
and to minimize its size. Still, it has around 11,000 lines of code,
which are mainly dedicated to JavaScriptCore and kernel memory parsing
and manipulation.

It exploits the JavaScriptCore debugging feature DollarVM ($vm) to gain
the ability to manipulate JavaScriptCore's memory from the script and
execute native API functions.

It was designed to support both old and new iPhones and included a Pointer
Authentication Code (PAC) bypass for exploitation of recent models.

It uses the integer overflow vulnerability CVE-2023-32434 in XNU's memory
mapping syscalls (mach_make_memory_entry and vm_map) to obtain read/write
access to the entire physical memory of the device at user level.

It uses hardware memory-mapped I/O (MMIO) registers to bypass the Page
Protection Layer (PPL). This was mitigated as CVE-2023-38606.

After exploiting all the vulnerabilities, the JavaScript exploit can do
whatever it wants to the device including running spyware, but the
attackers chose to: (a) launch the IMAgent process and inject a payload
that clears the exploitation artefacts from the device; (b) run a Safari
process in invisible mode and forward it to a web page with the next stage.

The web page has a script that verifies the victim and,
if the checks pass, receives the next stage: the Safari exploit.

The Safari exploit uses CVE-2023-32435 to execute a shellcode.

The shellcode executes another kernel exploit in the form of a Mach
object file. It uses the same vulnerabilities: CVE-2023-32434 and
CVE-2023-38606. It is also massive in terms of size and functionality,
but completely different from the kernel exploit written in JavaScript.
Certain parts related to exploitation of the above-mentioned
vulnerabilities are all that the two share. Still, most of its code
is also dedicated to parsing and manipulation of the kernel memory.

It contains various post-exploitation utilities, which are mostly unused.

The exploit obtains root privileges and proceeds to execute other stages,
which load spyware. We covered these stages in our previous posts.
--
The iKooks understand nothing and defend everything; but this latest
exploit pattern shows there's a rampant lack of testing in Cupertino.
--- Synchronet 3.20a-Linux NewsLink 1.114

From Newsgroup: comp.sys.mac.apps

On Dec 28, 2023 at 12:21:33 AM EST, "Wally J" <walterjones@invalid.nospam> wrote:

A bunch of drivel.

The facts are, "This currently affects Apple, Qualcomm, AMD, and Imagination GPUs but not Nvidia and ARM, as confirmed by Trail of Bits. "

And it is a GPU issue, not a CPU issue. Do you EVER get ANYTHING right?
--- Synchronet 3.20a-Linux NewsLink 1.114

From Newsgroup: comp.sys.mac.apps

On 2024-01-19 15:42:09 +0000, Tyrone said:

On Dec 28, 2023 at 12:21:33 AM EST, "Wally J" <walterjones@invalid.nospam> wrote:

A bunch of drivel.

It always is from the know-nothing anti-Apple trolls. :-\

The facts are, "This currently affects Apple, Qualcomm, AMD, and Imagination GPUs but not Nvidia and ARM, as confirmed by Trail of Bits. "

And it is a GPU issue, not a CPU issue. Do you EVER get ANYTHING right?

It also does not affect Intel GPUs (although they only tested *one*),
so those of us with older Macs with the integrated Intel GPU apparently
don't have the issue.

Of course, like all other malware, it's basically theoretical and won't
be seen by anyone in the real world ... just the scaremongering world
of anti-malware sellers and anti-Apple trolls.


--- Synchronet 3.20a-Linux NewsLink 1.114

From Newsgroup: comp.sys.mac.apps

On Jan 19, 2024, Your Name wrote
(in article <uoen5h$3a1ue$1@dont-email.me>):

On 2024-01-19 15:42:09 +0000, Tyrone said:

On Dec 28, 2023 at 12:21:33 AM EST, "Wally J" <walterjones@invalid.nospam>
wrote:

A bunch of drivel.

It always is from the know-nothing anti-Apple trolls. :-\

The facts are, "This currently affects Apple, Qualcomm, AMD, and Imagination
GPUs but not Nvidia and ARM, as confirmed by Trail of Bits. "

And it is a GPU issue, not a CPU issue. Do you EVER get ANYTHING right?

It also does not affect Intel GPUs (although they only tested *one*),
so those of us with older Macs with the integrated Intel GPU apparently
don't have the issue.

Of course, like all other malware, it's basically theoretical and won't
be seen by anyone in the real world ... just the scaremongering world
of anti-malware sellers and anti-Apple trolls.

In times past I saw some actual real malware: Scores, WDEF, nVIR. I also encountered, more recently, the AutoStart Worm. (Well, it was more recent
than Scores or WDEF or nVIR. Just not very recent.) In times closer to the present, but still quite a while back, I made quite a bit of money resquing some Mac users (and a whole lot of Windows users) from the fake FBI ‘virus’. I haven’t seen live Mac malware since then. (Lots of Windows malware, though.)

--- Synchronet 3.20a-Linux NewsLink 1.114