Gregory's ServerEverybody go update your iPhones.
The new 0-click vuln exploited by NSO Group is sent via a malicious image in iMessage.
 35 comments
  @evacide FFS maybe Apple could start not accepting or at least not auto loading embedded media from senders you don't know??? 🤦 @evacide Platforms where folks you don't know can cold call you (email, SMS, iMessage) should ideally never support anything but pure text. If that ship has already sailed, loading non pure text content should be only on request. @evacide Aside from avoiding 0day vulns and phishing, it'd avoid having to see the faces of spamming political candidates.  @evacide @dalias I'm *pretty* sure I read in their docs that it disables parsing of untrusted message media content, but of course also restricts Js in the browser etc. We're daily-driving an iPad in Lockdown Mode but didn't face any issues tbfh, the restrictions aren't noticeable to us. We mainly use it for browsing and media streaming. @dalias@hachyderm.io @evacide@hachyderm.io   It could be that NSO Group have a mole working inside Apple, someone on the inside who is deliberately planting the needed kind of security holes "by mistake". Perhaps not so oddly, Apple spins the update for a critical security vulnerability by first promoting "21 new emoji." @Red_Shirt_no2 @evacide AFAICT, this bug affected *only* iOS 16.6.x so your old phone actually should be safe    @evacide can we please stop using memory-unsafe languages to gangle arbitrary input from the public. Also, I have the iOS 17 beta, is that version safe? |
@evacide It really is starting to feel like WindowsXP around here.