New vulnerabilities in Apple’s macOS and iOS allow attackers to siphon a targeted user’s call history, calendar, address book and photos. The bugs signal bad news to Apple, according to researchers, who say they represent a new class of bugs within Apple’s security posture.
The bugs, reported by researchers at Trellix Tuesday, offer a “huge range” of adversarial tactics.
The vulnerabilities “represent a significant breach of the security model of macOS and iOS, which relies on individual applications having fine-grained access to the subset of resources they need and querying higher privileged services to get anything else,” wrote Austin Emmitt, senior vulnerability researcher
with Trellix, in the report.
In short, the “large new class of bugs” allow an attacker to “bypass code signing” protections that validate applications running on an iOS or macOS device are safe. Once bypassed, the un-signed code would not signal any red flag security warnings and execute — leading to escalation of privileges and sandbox escape conditions on both macOS and iOS devices.
“Since the first version of iOS on the original iPhone, Apple has enforced careful restrictions on the software that can run on their mobile devices. Only applications that were cryptographically signed by a developer certificate trusted by Apple could be executed,” Emmitt wrote.
These restrictions prevented malicious software from running on devices. What Trellix discovered were holes in Apple’s security approach that allows an attacker to run a malicious program, despite the code-signing requirements that identify the code’s origin, legitimacy and typically trustworthiness.
The Apple vulnerabilities (CVE-2023-23531 and CVE-2023-23530) range in severity from medium to high, and are classified as privilege escalation bugs. While both bugs are serious, to exploit either vulnerability would require an adversary to already have compromised the targeted device. Apple issued patches for both with the release of its macOS 13.2 and iOS 16.3 software updates.
What’s old is new again
Trellix said its’ findings are based on past research on the high-profile bug dubbed ForceEntry. That bug was uncovered in late 2021 by Citizen Lab and Google Project Zero. That attack method was a zero-click bug in iOS that allowed for an attacker to execute remote code on targeted devices. The exploit, known as the NSO’s groups Pegasus Malware, had been widely identified as that used by a nation state against a Saudi Arabian activist’s iPhone.
The ForcedEntry bug was a two-stage attack. The first stage was sending the victim a PDF disguised as an image (GIF). The second stage abused Apple’s iOS sandbox component, allowing the code to “escape” and impact other system components.
Trellix research focused on an Apple code filtering security tool for its sandbox called NSPredicate that was key to the ForceEntry attack chain. Emmitt said he examined the NSPredicateVisitor function, viewed as “Apple's primary mitigator of danger,” which led to the Trellix discovery. Despite an Apple patch to prevent the abuse of NSPredicate (in the context of Pegasus), Trellix found a way to bypass Apple’s mitigation efforts.
As Patrick Wardle, creator of the Mac security website and tool suite Objective-See noted on Twitter, “Apple’s fixes [for the past FORCEDENTRY disclosure] were wholly useless.”
The Trellix technical description of abusing weaknesses in Apple’s security approach center around Apple’s patch of NSPredicate.
One example of the new class of bugs is tied to Apple’s use of a root-level process called CoreDuet, which collects data about behavior on the device. “An attacker with code execution in a process with the proper entitlements, such as Messages or Safari, can send a malicious NSPredicate and execute code with the privileges of this process,” Emmitt wrote.
Additional flaws were found in OSLogService and an NSPredicate vulnerability in UIKitCore on the iPad, which could allow an attacker to access any app with no entitlements or read syslog data, respectively. In one scenario, an actor could set malicious scene activation rules to achieve code execution inside of SpringBoard and even wipe the device.
Trellix disclosed these vulnerabilities to Apple and addressed the bugs with macOS 13.2 and iOS 16.3. The Apple site notes it updated the January patch and advisory to reflect these findings.