A new type of error poses security problems for iOS and macOS

For many years Apple tightened security systems on iPhone and Mac. But no company is immune from such problems. Research has identified a new class of bugs that can affect the Apple iPhone and Mac operating systems, and if exploited, an attacker can gain access to your messages, photos, and call history.

Researchers at security firm Trellix’s Center for Advanced Study today publication details a bug that could allow criminal hackers to break into Apple’s security and run their own unauthorized code. The team says the security flaws they found, which they rate as medium to high, bypass the protections Apple has put in place to protect users.

“The key here is that the vulnerabilities break Apple’s security model at a fundamental level,” says Doug McKee, director of vulnerability research at Trellix. McKee says the discovery of a new class of bugs means researchers and Apple can potentially find more similar bugs and improve overall security protections. Apple fixed the bugs the company found and there is no evidence that they were used.

Trellix’s findings are based on previous work by Google and Citizen Lab, a research center at the University of Toronto. In 2021, both organizations discovered ForcedEntry, a zero-click, zero-day iOS exploit that was linked to Israeli spyware maker NSO Group. (The exploit, described as highly sophisticated, was found on a Saudi activist’s iPhone and was used to install the Pegasus NSO malware.)

Analysis of ForcedEntry showed that it consists of two key parts. The first tricked the iPhone into opening a malicious PDF disguised as a GIF. The second part allowed the attackers to escape Apple Sandbox, which prevents apps from accessing data stored in other apps and from accessing other parts of the device. Trellix research by Senior Vulnerability Researcher Austin Emmitt focused on this second part and ultimately used the flaws he found to bypass the sandbox.

Specifically, Emmitt discovered a class of vulnerabilities related to NSPredicate, a tool that can filter code on Apple systems. NSPredicate was first abused in ForcedEntry, and as a result of this research, Apple introduced new ways to stop abuse in 2021 as a result. However, it seems that this was not enough. “We have found that these new defenses can be bypassed,” Trellix said in a blog post outlining the details of his research.

McKee explains that bugs in this new NSPredicate class existed in many places in macOS and iOS, including Springboard, an app that manages the iPhone’s home screen and can access location data, photos, and the camera. After exploiting the errors, an attacker can gain access to areas that should be closed. A proof of concept video posted by Trellix shows how the vulnerabilities can be exploited.

The new class of beetles “points the lens at an area that people haven’t explored before because they didn’t know it existed,” McKee says. “Especially in the background of ForcedEntry, because someone at this level of complexity has already exploited a bug in this class.”

It is important to note that any attacker attempting to exploit these bugs would need to gain a foothold on someone’s device. They would need to find a way before they could abuse the NSPredicate system. (The existence of a vulnerability does not mean that it was exploited.)

Apple patched the NSPredicate vulnerabilities discovered by Trellix in its macOS 13.2 and iOS 16.3 software updates that were released in January. Apple has also released a CVE for the vulnerabilities that were discovered: CVE-2023-23530 and CVE-2023-23531. As Apple fixed these vulnerabilities, it also released newer versions of macOS and iOS. These include security fixes for a bug that was used on people’s devices. Make sure you update your iPhone, iPadAnd Poppy every time a new version of the operating system becomes available.