this post was submitted on 07 Sep 2023
159 points (100.0% liked)

Technology

59446 readers
3488 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
 

"BLASTPASS" bug can install malware without user interaction.

all 11 comments
sorted by: hot top controversial new old
[–] mojo@lemm.ee 30 points 1 year ago* (last edited 1 year ago) (2 children)
[–] andrew@lemmy.stuart.fun 20 points 1 year ago* (last edited 1 year ago)

And don't forget the 18 zero days, including 4 for RCE, found around WiFi calling that had them suggesting everyone turn it off for a few months.

[–] PlexSheep@feddit.de 2 points 1 year ago

Iirc the NSO Group wouldn't be a globally known spyware corp if not.

[–] autotldr@lemmings.world 10 points 1 year ago

This is the best summary I could come up with:


The iOS 16.6.1, iPadOS 16.6.1, macOS 13.5.2, and watchOS 9.6.2 updates patch the flaws across all of Apple's platforms.

The CVE-2023-41064 and CVE-2023-41061 flaws were reported by the Citizen Lab at the Munk School of Global Affairs & Public Policy at the University of Toronto.

Also dubbed "BLASTPASS," Citizen Lab says that the bugs are serious because they can be exploited just by loading an image or attachment, which happens regularly in Safari, Messages, WhatsApp, and other first- and third-party apps.

Citizen Lab also said that the BLASTPASS bug was "being used to deliver NSO Group’s Pegasus mercenary spyware," the latest in a long line of similar exploits that have been used to infect fully patched iOS and Android devices.

Users worried about these kinds of flaws can mitigate them proactively by enabling Lockdown Mode on their iOS and macOS devices; among other things, it blocks many attachment types and disables link previews, the kinds of attack vectors that attackers can use to exploit these "clickless" vulnerabilities.

"We believe, and Apple’s Security Engineering and Architecture team has confirmed to us, that Lockdown Mode blocks this particular attack," Citizen Lab said.


The original article contains 287 words, the summary contains 190 words. Saved 34%. I'm a bot and I'm open source!

[–] cheese_greater@lemmy.world 0 points 1 year ago (3 children)

Daily reminder to use Lockdown Mode, folks. Nothing of value is lost in activating and using it.

[–] ultratiem@lemmy.ca 8 points 1 year ago* (last edited 1 year ago) (1 children)

Edit: turns out the flaw is exploited by way of an attachment that LM stops from loading. So in this case, LM would save you.

[–] Kerfuffle@sh.itjust.works 5 points 1 year ago (1 children)

Doesn't the article contradict what you just said?

"We believe, and Apple’s Security Engineering and Architecture team has confirmed to us, that Lockdown Mode blocks this particular attack," Citizen Lab said.

[–] ultratiem@lemmy.ca 5 points 1 year ago

Edited. Still a sledgehammer approach imo.

[–] gorysubparbagel@lemmy.world 2 points 1 year ago

The most likely issue you'll encounter is that it blocks almost all message attachment types, so if someone texts you an image, PDF, contact card, etc, it will completely block the attachment.