My writeup of the 2023 NSO in-the-wild iOS zero-click BLASTDOOR webp exploit: Blasting Past Webp - https://t.co/H4m8MBwoWN

If you like memory corruption, low-level internals and building custom decompilers to analyse novel exploits check out the write-up here:

Earlier this year @AmnestyTech and @_clem1 from Google TAG found an in-the-wild iPhone zero day full chain. Today I’m publishing my analysis of the Safari sandbox escape component, the first in-the-wild sample to break into the new Safari GPU process.

This includes calling out failures and patch gapping is currently a major issue with Android. In this case, 5 Mali GPU vulnerabilities we reported this summer were fixed by ARM but those fixes still haven't made it to end user devices, many months later.

Mind the gap: https://t.co/sq6tw15Rmg Part of project zero's remit is to drive structural improvements across the ecosystem.

Check out Google's Threat Analysis Group's post which has more operational details:

Excited to publish my writeup of a novel iOS in-the-wild exploit: The curious case of the fake Carrier .app:

Continuing my look back at interesting vulnerabilities from last year here are some edited notes from my analysis of CVE-2021-1782, a rather subtle race condition vulnerability in the XNU vouchers subsystem found exploited in-the-wild last January:

It was a vulnerability in ASN.1 decoding which only existed in Apple's fork of NSS; I traced the code back over 20 years to figure out why.

I wrote up some of my notes on interesting vulnerabilities from last year. This first one takes a deep-dive into the iOS ASN.1 vulnerability found by @xerub:

Today we're publishing a follow-up post looking at the sandbox escape used by FORCEDENTRY:

Huge thanks to Citizen Lab for sharing a sample of the exploit and Apple for their invaluable technical assistance.

Today we're publishing a detailed technical writeup of FORCEDENTRY, the zero-click iMessage exploit linked by Citizen Lab to the exploitation of journalists, activists and dissidents around the world.

CVE-2020-27932: iOS Kernel privesc with turnstiles:

The rest of this thread:

(twitter UI is complicated!)

Excited to finally publish my lockdown project from earlier this year: an iOS zero-click radio proximity exploit odyssey. https://t.co/UXQvemH0hG

With Apple’s generous donation matching commitment that could be up to $500,000. Let’s make this a great celebration of our work together towards a better future. #GivingTuesday @bbcnews @guardian @nytimes @ft @vice @WIRED

I’d love to work with Apple to work out if this work qualifies for a bug bounty and donate that in full to charity!

Apple publishes their bug bounty reward guidelines publicly on their website and they’re applauded for having some of the highest in the industry.