A team of security experts claims to have discovered a “new class” of vulnerabilities that could enable attackers to circumvent tech giant Apple’s security measures in iOS and macOS to access users’ sensitive data.
The vulnerabilities have Common Vulnerability Scoring System (CVSS) ratings between 5.1 and 7.1 and range in severity from medium to severe. Malicious software and exploits may be able to access personal data such as a user’s messages, location information, call history, and images by exploiting these flaws.
Trellix’s findings align with prior work from Google and Citizen Lab, who, in 2021, identified a new zero-day vulnerability called ForcedEntry that was exploited by Israeli spyware manufacturer NSO Group to remotely and covertly hack into iPhones at the direction of its government clients.
In order to prevent the use of the attack, Apple subsequently improved its device security defences by including new code-signing mitigations that cryptographically confirm that the device’s software is trusted and hasn’t been altered. Trellix, though, claimed that Apple’s mitigations are insufficient to stop similar attacks.
In a blog post, Trellix wrote that the latest issues affect NSPredicate, a programme that lets programmers filter code. Following the ForcedEntry bug, Apple strengthened limits on NSPredicate using the NSPredicateVisitor protocol. Nonetheless, Trellix claimed that almost all NSPredicateVisitor implementations might be avoided.
However, Apple has reportedly addressed these issues with iOS 16.3 and macOS 13.2, and users should update their iPhones and MacBooks to remain secure.
Security experts reported that coreduetd, a software that gathers information about user behaviour on the device, was the first vulnerability they discovered under this new class of flaws.
Sending a malicious NSPredicate and executing code with the privileges of this process is possible for an attacker with code execution in a process with the necessary entitlements, such as Messages or Safari. The user’s calendar, address book, and images are accessible to the attacker thanks to a process that runs as root on macOS, the researchers said.
