[RndTbl] CVE-2023-41064

Trevor Cordes trevor at tecnopolis.ca
Fri Oct 6 00:10:46 CDT 2023

On 2023-10-05 Adam Thompson wrote:
> What everyone calls SMS almost always includes MMS, which is a
> layered superset of SMS capabilities (using OTT IP, FWIW).

Ya, even if iMessage tries to take over on Apple as the MMS
replacement, iOS devices must still speak MMS to communicate with
Android phones.

> MMS is capable of sending images.  While they normally get transcoded
> at least once, and usually 3 times (wtf, I know), it is possible for
> a sufficiently-sophisticated attacker to send webP images bypassing
> all the transcoding.  To do so, the attacker would need an SS7
> connection, but while expensive, that's not a massive technical
> hurdle.

If the carriers (of which there actually aren't many in terms of "big"
players) are already transcoding then in theory they could also check
or block/strip images that have the hack in them?  The bug description
makes it sound like it would be trivial to do.

> So... sadly that's still a zero-click vuln on every cell phone with a
> carrier that isn't still in the dark ages.

Then the next question is with Apple pushing iOS updates out fairly
quickly, what is Android doing?  I've yet to see any new OS update from
Samsung.  I guess it's just their usual head-in-the-sand
nothing-to-see-here response?

Since webp never really took off, makes you wonder why they pushed it
out to every browser and device so eagerly... malware on purpose?
People thought it was "safe" because it was a huge company pushing it?
No one checked the source?  If I was conspiracy minded...

Now excuse me while I go setup my firefox to run in firejail...

More information about the Roundtable mailing list