For years, Apple has hardened the security systems on iPhones and Macs. But no company is immune to such problems. Research reveals a new class of bugs that could affect Apple’s iPhone and Mac operating systems and, if exploited, could allow an attacker to clean up your messages, photos, and call history.
Researchers at the Advanced Research Center of security company Trellix are today publish details of a bug that could allow criminal hackers to breach Apple’s security measures and run their own unauthorized code. The team says the security flaws they found – which they say are of medium to high severity – bypass the protections Apple had in place to protect users.
“The most important thing here is that the vulnerabilities break Apple’s security model at a fundamental level,” said Doug McKee, director of vulnerability research at Trellix. McKee says finding the new bug class means researchers and Apple may be able to find more similar bugs and improve overall security. Apple has fixed the bugs the company found and there is no evidence that they were exploited.
Trellix’s findings build on previous work by Google and Citizen Lab, a University of Toronto research facility. In 2021, the two organizations discovered ForcedEntry, a zero-click, zero-day iOS exploit linked to Israeli spyware maker NSO Group. (The exploit, described as highly sophisticated, was found on a Saudi activist’s iPhone and used to install NSO’s Pegasus malware.)
Analysis of ForcedEntry showed that there were two main components. The first tricked an iPhone into opening a malicious PDF disguised as a GIF. The second part allowed attackers to escape Apple’s sandbox, which prevents apps from accessing data stored by other apps and accessing other parts of the device. Trellix’s research, by senior vulnerability researcher Austin Emmitt, focuses on that second part, eventually using the flaws he found to get around the sandbox.
Specifically, Emmitt found a class of vulnerabilities revolving around NSPredicate, a tool that can filter code within Apple’s systems. NSPredicate was first abused in ForcedEntry and as a result of that investigation in 2021 Apple introduced new ways to stop the abuse. However, that turns out not to have been enough. “We found that these new measures could be circumvented,” Trellix says in a blog post outlining the details of his investigation.
McKee explains that the bugs in this new NSPredicate class appeared in multiple places across macOS and iOS, including within Diving board, the app that manages the iPhone’s home screen and accesses location data, photos, and the camera. Once the bugs are exploited, the attacker can gain access to areas that are intended to be closed off. A proof-of-concept video published by Trellix shows how the vulnerabilities can be exploited.
The new class of bugs “brings a lens to an area that people haven’t explored before because they didn’t know it existed,” says McKee. “Especially with that background of ForcedEntry, because someone at that sophistication level already exploited a bug in this class.”
Crucially, any attacker trying to exploit these bugs would first need to gain a foothold on someone’s device. They should have found a way to exploit the NSPredicate system. (The existence of a vulnerability does not mean it has been exploited.)
Apple has patched the NSPredicate vulnerabilities that Trellix found in its macOS 13.2 and iOS 16.3 software updates, released in January. Apple has also released CVEs for the discovered vulnerabilities: CVE-2023-23530 and CVE-2023-23531. Since Apple addressed these vulnerabilities, it has also released newer versions of macOS and iOS. These include security fixes for a bug that was being exploited on people’s devices. Make sure you have your iPhone, iPadAnd Mac each time a new version of the operating system becomes available.