Hi there! My name is Matt Suiche, currently serving as the Director of Incident Response R&D at Magnet Forensics (MAGT:TO). Our organization is passionately dedicated to justice and protecting the innocent, a mission we embarked on more intensely after the 2022 acquisition of my cybersecurity start-up, Comae Technologies.
My life-long fascination with learning and understanding complex systems first led me to cybersecurity. My teenage years were spent immersed in reverse engineering, which ignited a profound curiosity about technology that continues to this day. I’ve since explored various fields including operating systems architecture, programming languages, virtualization, modern web application development, and generative art. Furthermore, I’ve delved into numerous domains such as privacy, surveillance, forensics, blockchain, and community development among others.
As part of the attack chain, the initial infection starts with attackers dispatching a malicious PDF as an iMessage attachment. This particular attachment is crafted to stealthily leverage a remote code execution vulnerability in the FontParser, identified as CVE-2023-41990 and reported by Valentin Pashkov, Mikhail Vinogradov, Georgy Kucherin (@kucher1n), Leonid Bezvershenko (@bzvr_), and Boris Larin (@oct0xor) of Kaspersky to Apple.
As someone who worked at the NSA, I always think it's hilarious when people feel like real APTs can be minimized to the MITRE matrix.
More than 14 weeks pasted since Apple Product Security team reported the issue affecting WebP open source project to Google, in follow up to the BLASTPASS iOS exploit that was discovered in the wild by CitizenLab and discussed in September. This means that the email chain is now public as of December 14, 2023.
We also learn that that Brotli compression algorithm almost got impacted by the same issue (c.f. BrotliBuildHuffmanTable) but the shape of Huffman tree is checked before actual lookup table is built so it was not vulnerable.
Introduction 🔗Once again compression algorithms are showing us that they are ruling the internet. My initial encounter with compression algorithms was in the year 2007, while reversing the Windows hibernation file to reimplement the now well-known Microsoft LZXpress which I discovered later was used in most Microsoft products until today. This journey continues today, with the scrutiny of the vulnerability CVE-2023-4863 located within the open-source Libwebp library, affecting Chromium-based browsers such as such Mozilla, Chrome, and Edge but also messaging applications such as iMessage.