SN 840: 0-Day Angst

Beep boop - this is a robot. A new show has been posted to TWiT…

What are your thoughts about today’s show? We’d love to hear from you!

Steve was a little off-base with his talk about the iOS vulnerabilities and the fact that now that they share the same codebase with macOS, it makes it easier to find vulnerabilities on macOS and then try them on iOS.

That has always been the case, since the introduction of the iPhone. Especially in the case he highlighted, this was a Kernel exploit. The Mach Kernel was the first thing, in 2007, that was shared between both platforms. The rest of the stack was a pared down, with a custom GUI for the iPhone, which has expanded over the years, and, now, the higher level UI stuff is also available on macOS.

So, yes, sharing the codebase means it is easier to find problems on the Mac and see if the same thing is also on the iDevices, but that isn’t new, that has always been the case, at least at the lower levels.

1 Like

Wasn’t an exploit in iMessage found this way recently?
That is not low-level. But I see the point that Steve made was that the cool integration features leads to a loss of secrecy/security. I think people are okay with the increased rick with the rewards it offers.

AFAIK, the iMessage exploit only affected the iPhone, certainly only the iPhone was ever mentioned in coverage, because it was used in the Pegasus malware for the iPhone.

I agree big_D. Webkit is open source as well. Also Google uses the same code on the desktop and mobile just like Apple.

1 Like

I believe Pegasus works on both iOS and Android. The original report mentioned this, but they said Android has no logging information like iOS so they could not do any analysis.

1 Like

Yes, there was a variant for Android, according to the first reports, but this was a generic name for the tool. The Android version would have used very different techniques to gain a foothold and use zero day exploits from Android.