In order for your experience as a user to make it appear as though you can do as you desire the computer has to complete alot of tasks, some of these tasks are triggered based on events such as looking at a text. The task could be to just check whether the text had a link and render a new button on your screen or even talk to another computer about it. It’s these tasks that have weakness that are exploited.

[removed]

Pegasus was the result of combining many different vulnerabilities together

The basic premise being that when you send a message the recipient phone does some form of processing on that received message. If you can find a way to carefully craft a message that takes advantage of a bug Inn the message processing code you can build upon it to perform more complex operations.

You can Google how Pegasus works, there are some fairly detailed documents out there

> where you download a jpeg and then click to open it and the jpeg had some extra malicious code in it etc, but without anybody “authorizing” anything how does the kernel allow the code to be run by the cpu etc ?

The file manager (or messenger app) generates a thumbnail or preview, this gets exploited. Whatever program generates the thumbnail already has “authorization” to run.

The very simple explination is that your computer already does a ton of things automatically. So it’s just a matter of figuring out how to insert something malicious into something that’s already running.

For example, imagine if a hacker found a way to push a malicious “update” to your computer by exploiting a bug (vulnerability) in the windows update system. It would install the update automatically, and you’d be none the wiser. This would be the mother of all zero days though, because windows update can touch every part of your system, even the BIOS in some cases.

For another example, you already mentioned opening up a malicious jpeg. But, if you embed that jpeg on a web page, you can get a person’s web browser to download and open it automatically when they visit the page, because that’s actually how it’s supposed to work. Even more dangerouse is if you can slip that jpeg into a sidebar ad and have it served up on hundreds of different pages all over the internet. Fortunately, reputable ad agencies screen ads for that sort of thing before they put them up.

Your devices are usually doing things like downloading emails and messages in the background. And they actually read the content of those messages so they can put some info in the notification.

So if there is a bug in how those programs read the message/email this can be used to execute malware was soon as the device receives the message, without the user even having to click to open the message themselves.

Zero-click exploits are quite rare, but usually work by taking advantage of one of the many things that a computer(a browser most the time) does without you asking it

Practically every website runs some amount of code to show you the page. browsers have the task of making sure that code can’t/doesn’t hurt your computer, by doing something called containerization. Browsers often have a few layers of containers one for the whole browser and another smaller one for each tab. these containers are just programs and can have flaws like any other code, that lets certain very specific code ‘break’ the container and access either the other tabs in the browser or break the external container to get at your operating system.

These exploits can make hackers a lot of money and cost everyone else a lot, so companies like Google and Mozilla usually offer “bug bounties,” payment to incentivize people to find these flaws and report them so they can be fixed before malicious actors can exploit them

Have you seen the battle for Helms Deep (Lord of the Rings)?
If trying to enter through the front gate, there’s lots of protection, and you don’t “just” enter.

But sometimes there’s a flaw in the design, such as the place where they blow a hole in the wall.

When you go to a website, all of the text and images are loaded, meaning basically their code has been run, even if you didn’t click it.

There are a lot of cases where, when a message gets sent to you, your device performs certain types of processing automatically before you even get notified of the message or interact with it at all. If you get a message with an attachment that might be an image or video, for example, your device might attempt to process it before it creates a notification so that the notification can contain a preview of it. In the process of doing that, it must determine that it’s a photo, what format it’s in, what size it is, and process it to scale it down and create a tiny version in the right format to be shown in a notification.

If you can generate a malicious attachment to a message that exploits a flaw in some of that early processing code, you can get your malicious code to run before the user even gets notified that they got a message, much less has to interact with it. It’s a very handy trick, but harder to pull off, since the level of processing that happens at this stage is pretty limited.

Computers do lots of things without the user explicitly instructing them to. When you open a folder in File Explorer, did you tell Windows to generate thumbnails for the image files in the folder? No, but it does it anyway, because that’s how Windows was coded.

When you enter a URL, did you explicitly tell your browser to retrieve a JavaScript file from another web server and execute its contents? No, but your browser does it anyway, because it’s developers and the HTML for the website told it to.

Do you constantly open your phone and tell it to check for new SMS messages? No, but it will do it anyway, because a phone that doesn’t automatically notify you of new messages is pretty useless for most people today.

All of these functions are implemented by software, and like any software they can have security vulnerabilities that might be exploited my malicious actors. In many cases these kinds of exploits are worse, because the underlying feature is often something that has low-level access to the system, or is coded with certain assumptions about the data and may not verify it like it would with user input.