[jc_811]

I see the biggest bounty is for &1,000,000USD and says:” Zero-click kernel code l execution with persistence and kernel PAC bypass”

As someone who doesn’t speak this language, what does thismean? And are there examples in history of this type of exploit affecting a large company?

[nicwilson]

> Zero-click

No user interaction required.

> kernel code l execution with persistence

Persistent malware with root privilege.

> kernel PAC bypass

I think PAC is some protection measures.

[djcapelis]

I think PAC is some protection measures.

Pointer Authentication Code

It’s a form of pointer integrity checking that you can read about in the Platform Security Guide (this used to be called the iOS Security Whitepaper) released today: https://support.apple.com/en-sg/guide/security/seca5759bf02/...

Google’s Project Zero also wrote a post about this mechanism, including a detailed case study of where they were able to bypass it: https://googleprojectzero.blogspot.com/2019/02/examining-poi...

[saagarjha]

PAC generally protects against return-oriented and other control-flow hijacking attacks.

[dsalzman]

An exploit that allows full control of the device that installs with no user interaction, zero-click, and is persistent even after rebooting or power cycling the device.

[jc_811]

This is a great explanation, thanks!