Security researchers say they have discovered a “new class” of vulnerabilities that allow attackers to bypass Apple’s security measures in iOS and macOS to gain access to users’ sensitive data.
Trellix’s Advanced Research Center released details this week about the privilege escalation vulnerabilities — meaning they allow someone to gain a higher level of access to the system — affecting both iPhones and Macs. Trellix warned that the class of bugs, ranging from moderate to very severe, could allow malicious apps to escape their protective “sandbox” and access sensitive information on a person’s device, including a person’s messages, location data, call history, and photos.
Trellix’s findings follow previous research from Google and Citizen Lab, which in 2021 discovered a new zero-day exploit called ForcedEntry that was abused by Israeli spyware maker NSO Group to remotely and surreptitiously hack into iPhones at the behest of its government customers. Apple subsequently strengthened the device’s security by adding new code-signing measures, which cryptographically verify that the device’s software is trusted and has not been modified, to stop exploitation of the exploit.
But Trellix said this week that the measures put in place by Apple are insufficient to prevent similar attacks.
In a blog postTrellix said the new bugs NSPredicate, a tool that allows developers to filter code, around which Apple tightened restrictions after the ForcedEntry bug through a protocol called NSPredicateVisitor. But Trellix said that almost every implementation of NSPredicateVisitor “could be bypassed.”
While Trellix has seen no evidence that these vulnerabilities have been actively exploited, the cybersecurity firm tells businessupdates.org that its research shows that iOS and macOS are “not inherently more secure” than other operating systems.
“The vulnerabilities discovered by our team this week fundamentally violated their security model,” said Doug McKee, director of Vulnerability Research at Trellix. made it easier for unauthorized access to sensitive data. “These bugs essentially allow an attacker to execute low-privilege code, i.e. basic functions on macOS or iOS, to gain much higher privileges.”
Apple has patched the vulnerabilities Trellix found in the macOS 13.2 and iOS 16.3 software updates, released in January. Apples security supporting documents were also updated on Tuesday to reflect the release of the new patches.
Will Strafach, a security researcher and founder of the Guardian firewall app, described the vulnerabilities as “pretty smart,” but warned that there’s little the average user can do about these threats, “other than staying vigilant about installing security updates.”
iOS and macOS security researcher Wojciech Reguła told businessupdates.org that while the vulnerabilities can be significant, in the absence of exploits more detail is needed to determine how large this attack surface is.
Jamf’s Michael Covington said Apple’s code-signing measures were “never intended to be a silver bullet or a solitary solution” for protecting device data. “While the vulnerabilities are remarkable, they show that layered defenses are so critical to maintaining a good security posture,” said Covington.
When it was reached, Apple did not comment on the record.