Google Links Over 60 Zero-Days to Commercial Spyware Vendors

Good Morning! From the launch of Apple's latest programming charm, Pkl, to the unexpected shutdown of Kubernetes pioneer Weaveworks, and wrapping up with Google's eye-opening report on the shadowy world of commercial spyware—there's a lot to unpack.

First up, Apple's coding world just got a little bigger with the introduction of Pkl, a new open-source language designed to streamline your configuration woes. Whether it's the simplicity and scalability that catches your fancy or the quirky name that's easy to remember, Pkl is setting up to be more than just a flash in the tech pan.

Next, we bid adieu to Weaveworks, a trailblazer in the Kubernetes ecosystem. Despite the backing of tech giant AWS and a promising start, the company's voyage has come to an unforeseen halt. It's a stark reminder of the tech world's unpredictable tides and the importance of stable partnerships and investments.

Finally, we're shining a spotlight on Google's latest exposé, revealing a tangled web of commercial spyware vendors exploiting over 60 zero-days across the biggest names in tech. It's a cyber espionage saga that reads like a spy thriller, highlighting the ongoing battle for digital security and privacy.

Apple Unveils Pkl: A New Configuration Language
Apple has launched Pkl, a novel open-source programming language focused on easing configuration tasks, from the simplest to the most complex. Unveiled in its 0.25 version, Pkl aims to streamline the creation of static configuration files, supporting formats like JSON, XML, and YAML right out of the gate. Designed with a key-value structure, Pkl diverges from traditional programming languages by focusing on configuration tasks, making it a specialized tool in the developer's arsenal.

In addition to its core functionalities, Pkl has been crafted to be a comprehensive configuration library that's safe, user-friendly, and enjoyable. Despite being in the early days post-launch, it already offers support for languages including Java, Kotlin, Swift, and Go, with plans to expand its reach. Apple's ambition with Pkl is clear: to establish a polyglot configuration solution that caters to a wide range of programming environments.

While Pkl might seem niche, its unique approach and memorable name—coupled with its potential to simplify configuration tasks—could make it a significant player in the programming landscape. Its introduction reflects Apple's ongoing commitment to innovation and addresses the evolving needs of developers worldwide.

Weaveworks Bids Farewell: A Cloud Pioneer's Closure
Weaveworks, a notable force in the Kubernetes ecosystem, backed by Amazon Web Services (AWS), has announced its closure. CEO Alexis Richardson revealed the decision came after a promising acquisition fell through last minute, leaving the company without the necessary partnership or investment for sustained growth. Founded in 2014, Weaveworks made significant strides in cloud native management, raising over $60 million and contributing to major open-source projects like Wave Scope, Weave Cortex, and Weave Flux.

Despite a strong partnership with AWS, especially around the eksctl CLI tool for Amazon Elastic Kubernetes Service (EKS), financial instability and "lumpy" sales in 2023 led to the tough decision to shut down. Richardson reflects on the company's journey with a mix of pride and optimism, highlighting the impact Weaveworks has had on the open-source community and the cloud computing landscape. Even as Weaveworks closes its doors, the CEO assures that their story and contributions, especially to the CNCF Flux project, will continue to influence the industry.

Google Exposes the Dark Web of Commercial Spyware
Google's Threat Analysis Group (TAG) has cast a spotlight on the shadowy world of commercial spyware, linking over 60 zero-day vulnerabilities in products from tech giants like Apple, Adobe, Google, Microsoft, and Mozilla to the nefarious activities of spyware vendors since 2016. These vendors, who develop and sell powerful exploits to governments, allegedly use their technologies for surveillance purposes, often targeting political opponents, journalists, and human rights defenders.

Google's investigation reveals a disturbing trend where spyware firms pay millions for exploits that grant total control over devices, particularly Android and iOS phones. The report names 11 vendors, including Candiru and NSO Group, responsible for exploiting vulnerabilities in a wide range of products, underscoring the global impact and sophistication of their operations.

The findings highlight the critical need for vigilance and stronger security measures, as these exploits pose significant threats to privacy and security worldwide. Google's revelations come at a time when the misuse of commercial spyware is attracting international scrutiny, prompting the US government to announce policies aimed at curbing the abuse of such technologies.

For instance, the iOS zero-days CVE-2023-28205 and CVE-2023-28206, for which Apple rushed to release patches in April 2023, and CVE-2023-32409, which was patched in May, have been exploited by Spanish company Variston. Exploitation of the Android vulnerability CVE-2023-33063 has now also been linked to the same spyware vendor. 

The iOS vulnerabilities tracked as CVE-2023-42916 and CVE-2023-42917, for which Apple recently warned of active exploitation, have been linked to Turkish company PARS Defense.

CVE-2023-2033 and CVE-2023-2136, Chrome flaws fixed by Google in April, and CVE-2023-3079, addressed in June, have all been attributed to Intellexa. 

CVE-2023-7024, the eighth zero-day patched in Chrome in 2023, has now been attributed to the NSO Group. 

When it fixed CVE-2023-5217 in September, Google warned that the Chrome vulnerability had been exploited by a spyware vendor, but did not name the company. The new report reveals that the spyware vendor is Israel-based Candiru.  

The Android vulnerabilities CVE-2023-4211, CVE-2023-33106, CVE-2023-33107 have been attributed to Italian firm Cy4Gate.