[WhyNotHugo]

So lockdown mode disables any attachment except images on their messaging app, because parsing these has often been introducing exploits.

The fascinating this is that this parsing would happen on a process which even _has_ privileges to trigger any exploits. Parsing a message should be done far far away from the core OS operations, high in userspace, by a sandboxed process that can't break anything.

Based on previously seen exploits, it seems messages are handled by rather privileged processes. I wonder if there's a reason for that (e.g.: special messages can trigger privileged operations?)

[twobitshifter]

Its not about privileges, the iMessage blastdoor exploit built a turing machine using a weird old image format and then escaped.

https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-i...

[ylk]

Privileged is the wrong word, but GP is not entirely wrong. What you linked to is only the first part of the exploit and analysis.

From the conclusion of the second post, which analyses the sandbox escape:

> Perhaps the most striking takeaway is the depth of the attack surface reachable from what would hopefully be a fairly constrained sandbox. [...] The expressive power of NSXPC just seems fundamentally ill-suited for use across sandbox boundaries, even though it was designed with exactly that in mind. [...]

(The above is severely cut down, reading at least the entire conclusion or even the whole post is worth it)

https://googleprojectzero.blogspot.com/2022/03/forcedentry-s...

[est31]

Getting into the process that does the message parsing is only the first step in a full exploit chain. Usually processes, even the unprivileged ones, have direct access to the kernel. So if there is a bug in there for example, you can exploit the kernel as a second step. Alternatively, you exploit a bug in the IPC interface with the messaging app. Etc.

[why_only_15]

Parsing already does happen (mostly) on a process which doesn't have privileges. Read about Blastdoor.

[Syonyk]

> Read about Blastdoor.

I have. Mostly in the context of how this grandiose sandboxing scheme was just bypassed. Again.