Apple responded swiftly, and on September 7 they released a security bulletin that featured two new CVEs from the attack Citizen Lab identified. They attributed the behavior to a "zero-click" exploit for iMessage being used to deploy NSO group's Pegasus spyware, and sent their technical findings to Apple. The theory goes something like this.Įarly in September (exact date unknown), Citizen Lab detected suspicious behavior on the iPhone of "an individual employed by a Washington DC-based civil society organization":īLASTPASS: NSO Group iPhone Zero-Click, Zero-Day Exploit Captured in the Wild Immediately after the Chrome security update was released, experts began to speculate that there was a link between CVE-2023-4863 and an earlier CVE from Apple, CVE-2023-41064. This work was made possible by major technical contributions from - thank you! Unraveling the Timeline There are still a lot of details that are missing, but this post attempts to explain what we know about the unusual circumstances of this bug, and provides a new technical analysis and proof-of-concept trigger for CVE-2023-4863 ("the WebP 0day"). But who discovered the vulnerability and how was it being used? How does the vulnerability work? Why wasn't it discovered earlier? And what sort of impact does an exploit like this have? This means that someone, somewhere, had been caught using an exploit for this vulnerability. "Google is aware that an exploit for CVE-2023-4863 exists in the wild." The issue, CVE-2023-4863, was a heap buffer overflow in the WebP image library, and it had a familiar warning attached: The update included a single security fix that was reported by Apple's Security Engineering and Architecture (SEAR) team. Early last week, Google released a new stable update for Chrome.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |