Over the years, Apple Enhanced security on iPhone and Mac. But no company is immune to such problems. Research has revealed a new class of bugs that could affect Apple’s iPhone and Mac operating systems and, if exploited, could allow attackers to scan your messages, photos and call logs.
Researchers at security firm Trellix Center for Advanced Research today released details of a vulnerability that could have allowed criminal hackers to break through Apple’s security protections and run their own unauthorized code. The team said the security flaw they discovered, which they rated as medium-high severity, bypassed the protections Apple put in place to protect users.
“The key here is that these vulnerabilities fundamentally break Apple’s security model,” said Doug McKee, director of vulnerability research at Trellix. McKee said that finding the new bug category means that researchers and Apple will potentially find more bugs like this and improve overall security protections. Apple has fixed the vulnerabilities the company found, and there is no evidence they were exploited.
Trellix’s findings build on previous work at Google and the Citizen Lab, a research arm at the University of Toronto. In 2021, the two groups discovered ForcedEntry, a zero-click, zero-day iOS exploit linked to Israeli spyware maker NSO Group. (The exploit, described as highly sophisticated, was discovered on a Saudi activist’s iPhone and used to install NSO’s Pegasus malware.)
Analysis of ForcedEntry shows that it involves two key parts. The first tricks an iPhone into opening a malicious PDF disguised as a GIF. The second part allows attackers to escape Apple’s sandbox, which prevents apps from accessing data stored by other apps and accessing other parts of the device. Trellix’s research, led by Senior Vulnerability Researcher Austin Emmitt, focused on the second part and ultimately exploited the vulnerability he found to bypass the sandbox.
Specifically, Emmitt discovered a class of vulnerabilities surrounding NSPredicate, a tool that filters code in Apple systems. NSPredicate was first abused in ForcedEntry, and as a result of this research in 2021, Apple introduced new ways to prevent abuse. However, these do not seem to be enough. “We found that these new mitigations can be bypassed,” Trellix said in a blog post outlining details of its research.
McKee explained that bugs in this new NSPredicate class exist in multiple places across macOS and iOS, including in Springboard, the app that manages the iPhone’s home screen and can access location data, photos, and the camera. Once exploited, the attacker could gain access to areas that should have been shut down. A proof-of-concept video released by Trellix shows how to exploit these vulnerabilities.
The new error category “brings a lens into an area that people haven’t looked at before because they didn’t know it existed,” McKee said. “Especially in the context of ForcedEntry, because people at that level of sophistication are already exploiting bugs in this class.”
Crucially, any attacker trying to exploit these vulnerabilities would need to establish an initial foothold in someone’s device. They need to find a way to abuse the NSPredicate system. (The existence of a vulnerability does not mean that it has been exploited.)
Apple patched the NSPredicate vulnerability discovered by Trellix in the macOS 13.2 and iOS 16.3 software updates released in January. Apple has also issued CVEs for the discovered vulnerabilities: CVE-2023-23530 and CVE-2023-23531. As Apple addressed the vulnerabilities, it also released updated versions of macOS and iOS. These include security fixes for vulnerabilities that were exploited on people’s devices. Be sure to update your iPhone, iPad, and Mac every time a new version of the operating system becomes available.
