> The way he managed to beat a trillion dollar corporation was through the kind of simple but tedious and boring work that Apple sucks at: regression testing.<p>> Because, you see: this has happened before. On iOS 12, SockPuppet was one of the big exploits used by jailbreaks. It was found and reported to Apple by Ned Williamson from Project Zero, patched by Apple in iOS 12.3, and subsequently unrestricted on the Project Zero bug tracker. But against all odds, it then resurfaced on iOS 12.4, as if it had never been patched. I can only speculate that this was because Apple likely forked XNU to a separate branch for that version and had failed to apply the patch there, but this made it evident that they had no regression tests for this kind of stuff. A gap that was both easy and potentially very rewarding to fill. And indeed, after implementing regression tests for just a few known 1days, Pwn got a hit.<p>And now I wonder how many other projects are doing this. Is anyone running a CI farm running historical vulnerabilities on new versions of Linux/FreeBSD/OpenWRT/OpenSSH/...? It would require that someone wrote up each vulnerability in automated form (a low bar, I think), have the CI resources to throw at it (higher bar, though you could save by running a random selection on each new version), care (hopefully easy), and think of it (surprisingly hard).
> forget everything you know about kheap separation, forget all the task port mitigations, forget SSV and SPTM<p>This is like when you’re speaking in a foreign language with a friend and getting along fine, but in the next sentence they begin describing brain surgery or nuclear physics, and your understanding falls off a cliff.<p>Or that time I tried to interpret a conversation about blast furnace renovations.<p>As far as jailbreaks go, I’m sad it’s not a thing anymore; I don’t think I ever did anything useful with my jailbroken iPad, but it was fun. Today I’d install a tethering app and UTM + a JIT solution (1).<p>1: SideStore looked promising, but my account was once a paid Apple Developer account and I have 10 app IDs that won’t expire, so I can’t install any apps like the aforementioned UTM, unless I make a new account or pay again.
If this is the case Apple employed an amazing strategy. By locking all ways to possibly root their devices they patch vulnerabilities discovered for free by jailbreak devs.