Security Researchers Warn of a 'New Class' of Apple Bugs
Since the earliest versions of the iPhone, “The ability to dynamically execute code was nearly completely removed,” write security researchers at Trellix, “creating a powerful barrier for exploits which would need to find a way around these mitigations to run a malicious program. As macOS has continually adopted more features of iOS it has also come to enforce code signing more strictly.
“The Trellix Advanced Research Center vulnerability team has discovered a large new class of bugs that allow bypassing code signing to execute arbitrary code in the context of several platform applications, leading to escalation of privileges and sandbox escape on both macOS and iOS…. The vulnerabilities range from medium to high severity with CVSS scores between 5.1 and 7.1. These issues could be used by malicious applications and exploits to gain access to sensitive information such as a user’s messages, location data, call history, and photos.”
Computer Weekly explains that the vulnerability bypasses strengthened code-signing mitigations put in place by Apple on its developer tool NSPredicate after the infamous ForcedEntry exploit used by Israeli spyware manufacturer NSO Group:
So far, the team has found multiple vulnerabilities within the new class of bugs, the first and most significant of which exists in a process designed to catalogue data about behaviour on Apple devices. If an attacker has achieved code execution capability in a process with the right entitlements, they could then use NSPredicate to execute code with the process’s full privilege, gaining access to the victim’s data.
Emmitt and his team also found other issues that could enable attackers with appropriate privileges to install arbitrary applications on a victim’s device, access and read sensitive information, and even wipe a victim’s device. Ultimately, all of the new bugs carry a similar level of impact to ForcedEntry.
Senior vulnerability researcher Austin Emmitt said the vulnerabilities constituted a “significant breach” of the macOS and iOS security models, which rely on individual applications having fine-grain access to the subset of resources needed, and querying services with more privileges to get anything else.
“The key thing here is the vulnerabilities break Apple’s security model at a fundamental level,” Trellix’s director of vulnerability research told Wired — though there’s some additional context:
Apple has fixed the bugs the company found, and there is no evidence they were exploited…. Crucially, any attacker trying to exploit these bugs would require an initial foothold into someone’s device. They would need to have found a way in before being able to abuse the NSPredicate system. (The existence of a vulnerability doesn’t mean that it has been exploited.)
Apple patched the NSPredicate vulnerabilities Trellix found in its macOS 13.2 and iOS 16.3 software updates, which were released in January. Apple has also issued CVEs for the vulnerabilities that were discovered: CVE-2023-23530 and CVE-2023-23531. Since Apple addressed these vulnerabilities, it has also released newer versions of macOS and iOS. These included security fixes for a bug that was being exploited on people’s devices.
TechCrunch explores its severity:
While Trellix has seen no evidence to suggest that these vulnerabilities have been actively exploited, the cybersecurity company tells TechCrunch that its research shows that iOS and macOS are “not inherently more secure” than other operating systems….
Will Strafach, a security researcher and founder of the Guardian firewall app, described the vulnerabilities as “pretty clever,” but warned that there is little the average user can do about these threats, “besides staying vigilant about installing security updates.” And iOS and macOS security researcher Wojciech ReguÅa told TechCrunch that while the vulnerabilities could be significant, in the absence of exploits, more details are needed to determine how big this attack surface is.
Jamf’s Michael Covington said that Apple’s code-signing measures were “never intended to be a silver bullet or a lone solution” for protecting device data. “The vulnerabilities, though noteworthy, show how layered defenses are so critical to maintaining good security posture,” Covington said.
Read more of this story at Slashdot.
Comments are closed, but trackbacks and pingbacks are open.