3/27/2025 at 9:04:28 PM
This exploit is just wild. There are just so many little tricks connected together - using multiple image files with unexpected formats, aligning heap chunks to sit on easily-predicted and manipulable addresses, deserializing a huge object graph from image metadata, the usual NSExpression insanity, PAC bypass via unsigned pointers to function-pointer-containing structures, etc. etc. I thought the last exploit (where they built an entire virtual CPU out of image decompression commands: https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-i...) was crazy, but that involved a lot fewer "tricks" than this exploit.Many of these tricks are non-public, meaning that NSO would have had to spend a huge amount of time and effort researching every single one of these. They probably have many more tricks they know about and haven't used. And, Apple could patch every one of them in a future update and roll back all of that work.
There's a good reason why these exploits are expensive and only sent to a limited number of high-value targets. NSO this time around also worked to "protect their IP" using encryption to hide part of their exploit chain, presumably in a bid to avoid losing yet more of their precious zero-days to researchers.
What they're doing is pretty gross (particularly the whole spying-on-journalists bit), but you have to admit the level of technological sophistication and persistence here is pretty impressive.
by nneonneo
3/27/2025 at 11:33:45 PM
A strange choice of words. It's like saying “cannibalism is pretty gross, but the chef outdid himself on those slices”.Moreover, even if it's complex from the technical point of view, morally it's dead simple: hired programmer is the same as dirty grunt with a gun, and the leader delivering speeches, and the rocket engine scientist, and the data processing clerk, and everyone in between. They all serve the Order they believe in, the king of this world.
by ogurechny
3/28/2025 at 12:49:54 AM
> It's like saying [...]"Proof by analogy is fraud" - Bjarne Stroustrup
by heavensteeth
3/28/2025 at 5:39:49 AM
people do like true crime shows so that's thatby areyourllySorry
3/28/2025 at 2:10:00 PM
“True crime” is just fashionable slang for “pulp fiction” and “tabloid journalism”, so there's nothing new here.by ogurechny
3/28/2025 at 10:20:38 AM
> using multiple image files with unexpected formats,Unexpected ? You mean your jpeg file is not a jpeg. Why not throw an error message then ? Why does (iMessage) it have to open every byte thrown at it ?
by hulitu