Hacker News new | comments | ask | show | jobs | submit login
PEGASUS iOS Kernel Vulnerability Explained (sektioneins.de)
82 points by ssclafani on Sept 2, 2016 | hide | past | web | favorite | 17 comments

  Because we at SektionEins believe keeping the public in the dark about details of already fixed vulnerabilities is wrong...

  ...use our private jailbreak...
i.e. your undisclosed vulnerabilities bad, my undisclosed vulnerabilities are cool.

Useful analysis, but casting a marketing endeavor as a public service is rather disingenuous.

But maybe they'll share it with you if you book on their training course. Only EUR 4000!

What a jailbreak is worth these days.. close to a million? So training course for a few grand by someone capable of developing a jailbreak (on numerous occasions*) should be a well-spent educational investment, even if no unfixed vulnerabilities are shared (obviously, they won't be).

I'm pretty sure someone has already paid for the course and then released all the private exploits - https://twitter.com/search?q=from%3Ai0n1c%20pangu&src=typd

You seem to not understand the difference between "already fixed vulnerabilities" and a private jailbreak.

I understand the difference. I don't see the distinction. They know an unpatched vulnerability and if they haven't reported it to Apple, they don't own the moral high ground that would justify their smug public-interested belief.

In fact, as someone who lives and breathes in this ecosystem and gives talks on the ethics involved, I kind of want to argue the opposite: that doing a play-by-play breakdown of a recent bug to the point of educating an attacker how to exploit it, you increase everyone's danger and don't particularly increase their safety, while disclosing a bug being hoarded in a "just me and a ton of my close friends over a long period of time" (which is not how the groups who enjoy publishing public jailbreaks play the game) in a high-level way would actually do the opposite.

Once again demonstrating that the term "zero day" is horribly overused and misused and probably should be eliminated from the lexicon, the OSUnserializeBinary bug doesn't appear to be new. Brandon Azad[1] says he discovered it last year. It was fixed in OS X in May. Or maybe the fix didn't work since they had to make another patch this week.

[1] https://bazad.github.io/2016/05/mac-os-x-use-after-free/

Did these guys just admit they have their own private jailbreak? That seems like something you'd keep quiet

Stefan Esser is a well know iOS security researcher that is well known to be (and vocal about) keeping private jailbreaks.

This makes sense considering the platform - burning an exploit would render it unnecessarily difficult to continue research on future versions of iOS.

Keep this in mind when you think about Apple's recent bug bounty program. Anyone who has been sitting on some private jailbreaks might be tempted to collect $200k, no?

Apple also released a fix for OS X with its latest update.


This was the real news to me. Apple had to know OS X was vulnerable when they released iOS 9.3.5, yet they waited until yesterday to push updates.

Realistically, is this in the wild under active exploit? With the likelihood of infection remote unless one is a UAE-targeted activist?

Are people who never install new apps on their Mac safe without updating for now, or can this be exploited over the web?

This can be exploited over the web by chaining it with the other bug used in the attack.

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact