Apple recently fixed “medium to high severity” security flaws on its iPhone and Mac operating systems that could give bad actors access to your messages, photos, and call history, according to researchers at security firm Trellix‘s Advanced Research Center (via WIRED).
Trellix’s researchers discovered a new class of “privilege escalation” bugs affecting both iOS and macOS that, if successfully exploited, could let hackers bypass Apple’s security protections to run unauthorized (and potentially malicious) code.
“The key thing here is the vulnerabilities break Apple’s security model at a fundamental level,” said Doug McKee, director of vulnerability research at Trellix.
Austin Emmitt, a senior vulnerability researcher at Trellix, was responsible for the research on the new bug class. He built on previous work from Google and Citizen Lab, a research facility out of the University of Toronto, on “ForcedEntry,” a zero-click, zero-day iOS exploit that was used to install Israeli spyware maker NSO Group‘s Pegasus spyware on a Suadi activist’s phone.
Specifically, Trellix’s research focuses on the part of the ForcedEntry exploit that allows attackers to operate outside of Apple’s sandbox. Emmitt was able to use the security flaws he found to bypass Apple’s sandbox as well.
The new class of vulnerabilities has to do with NSPredicate, a tool used to filter code on Apple’s platforms that ForcedEntry also targeted. While Apple patched those vulnerabilities, it looks like the company didn’t do enough. “We discovered that these new mitigations could be bypassed,” said Trellix.
The new NSPredicate vulnerability exists in multiple areas across both iOS and macOS, including within Springboard, the app that manages the iPhone’s home screen and has access to location data, photos, and the camera, Trellix discovered.
This new class of bugs “brings a lens to an area that people haven’t been researching before because they didn’t know it existed,” said McKee. “Especially with that backdrop of ForcedEntry because somebody at that sophistication level already was leveraging a bug in this class.”
Notably, bad actors need to already have an initial foothold within a target device to exploit bugs in this new class. The new vulnerabilities discovered by Trellix are being tracked as CVE-2023-23530 and CVE-2023-23531, and Apple patched them with the macOS 13.2 and iOS 16.3 software updates last month. There is no evidence that either of the bugs was exploited in the wild.
