
PEGASUS iOS Kernel Vulnerability Explained - ssclafani
http://sektioneins.de/en/blog/16-09-02-pegasus-ios-kernel-vulnerability-explained.html
======
yborg

      Because we at SektionEins believe keeping the public in the dark about details of already fixed vulnerabilities is wrong...
    
      ...use our private jailbreak...
    

i.e. your undisclosed vulnerabilities bad, my undisclosed vulnerabilities are
cool.

Useful analysis, but casting a marketing endeavor as a public service is
rather disingenuous.

~~~
stevetrewick
But maybe they'll share it with you if you book on their training course. Only
EUR 4000!

~~~
vizzah
What a jailbreak is worth these days.. close to a million? So training course
for a few grand by someone capable of developing a jailbreak (on numerous
occasions*) should be a well-spent educational investment, even if no unfixed
vulnerabilities are shared (obviously, they won't be).

~~~
dylz
I'm pretty sure someone has already paid for the course and then released all
the private exploits -
[https://twitter.com/search?q=from%3Ai0n1c%20pangu&src=typd](https://twitter.com/search?q=from%3Ai0n1c%20pangu&src=typd)

------
whoopdedo
Once again demonstrating that the term "zero day" is horribly overused and
misused and probably should be eliminated from the lexicon, the
OSUnserializeBinary bug doesn't appear to be new. Brandon Azad[1] says he
discovered it last year. It was fixed in OS X in May. Or maybe the fix didn't
work since they had to make another patch this week.

[1] [https://bazad.github.io/2016/05/mac-os-x-use-after-
free/](https://bazad.github.io/2016/05/mac-os-x-use-after-free/)

------
a2tech
Did these guys just admit they have their own private jailbreak? That seems
like something you'd keep quiet

~~~
q3k
Stefan Esser is a well know iOS security researcher that is well known to be
(and vocal about) keeping private jailbreaks.

This makes sense considering the platform - burning an exploit would render it
unnecessarily difficult to continue research on future versions of iOS.

~~~
xenadu02
Keep this in mind when you think about Apple's recent bug bounty program.
Anyone who has been sitting on some private jailbreaks might be tempted to
collect $200k, no?

~~~
ikeboy
A jailbreak is worth $1 million. See
[http://www.forbes.com/sites/thomasbrewster/2015/06/26/china-...](http://www.forbes.com/sites/thomasbrewster/2015/06/26/china-
iphone-jailbreak-industry/)

------
klue07
Apple also released a fix for OS X with its latest update.

[https://support.apple.com/en-us/HT207130](https://support.apple.com/en-
us/HT207130)

~~~
jetpks
This was the real news to me. Apple had to know OS X was vulnerable when they
released iOS 9.3.5, yet they waited until yesterday to push updates.

------
reiichiroh
Realistically, is this in the wild under active exploit? With the likelihood
of infection remote unless one is a UAE-targeted activist?

------
stevenh
Are people who never install new apps on their Mac safe without updating for
now, or can this be exploited over the web?

~~~
eugeneionesco
This can be exploited over the web by chaining it with the other bug used in
the attack.

