New Class of Bugs in Apple Devices Opens the Door to Complete Takeover
With the right kind of exploit, theres hardly any function, app, or bit of data an attacker couldnt access on your Mac, iPad, or iPhone.
A new class of bugs in Apples iOS, iPadOS, and macOS has been uncovered, researchers say, that could allow an attacker to escalate privileges and make off with everything on a targeted device.
This new class could allow bypassing code signing to execute arbitrary code in the context of several platform applications, Trellix researcher
Austin Emmitt wrote in a blog post
on Feb. 21, leading to escalation of privileges and sandbox escape on both macOS and iOS.
Were an attacker to exploit these vulnerabilities, they could potentially gain access to a victims photos, messages, call history, location data, and all kinds of other sensitive data, even the devices microphone and camera. They could also use their access to wipe a device altogether.
The vulnerabilities in this class range from medium to high severity, with CVSS ratings between 5.1 and 7.1. Apple grouped them into two CVEs:
CVE-2023-23530
and
CVE-2023-23531
. Theres no indication that theyve been exploited in the wild.
The cyber failure in this case arises from
NSPredicate
, a
class
that enables app developers to filter lists of objects on a device. This innocent-looking class, as Emmitt put it, is much deeper than it may appear at first glance. In reality, the syntax of NSPredicate is a full scripting language.
In other words, through NSPredicate, the ability to dynamically generate and run code on iOS had been an official feature this whole time, he explained.
In one proof-of-concept, Trellix found that an attacker could use NSPredicate to execute code in coreduetd or contextstored, root-level processes that allows entryway into parts of the machine such as the calendar, address book, and photos.
In another case, the researchers found an NSPredicate vulnerability in the
UIKitCore
framework on the iPad. Here, a malicious app would be able to execute code inside SpringBoard, the app that manages the devices home screen. Getting into SpringBoard could cause any number of compromises to just about any kind of data a user stores on the phone, or allow an attacker to simply erase the device altogether.
The silver lining for this new class of vulnerabilities is that they require an attacker already to have access to a target device.
Gaining access is typically the easy part
, with methods like phishing and
other social engineering
being so widely effective, but it also means there are steps anybody can take to harden their defenses.
Individuals should continue to stay vigilant against social engineering and phishing attacks, McKee says, while also ensuring they only install applications from a known trusted source. Businesses are encouraged to ensure they are doing the proper product security testing on any third-party applications they use in their infrastructure and are monitoring device logs for any suspicious or unusual activity.
If they havent already, Apple users should update their system software, as the newest versions include fixes for the vulnerabilities so described. That doesnt mean, however, that vulnerabilities of this kind wont pop up again.
Emmitt highlighted in the blog post how NSPredicate had already been exposed by a security researcher back in 2019, then exploited by
NSO Group
in 2021, in an espionage attack targeting a Saudi activist. Apple attempted to
close the hole
but evidently didnt finish the job, paving the way for the new discoveries.
Elimination of a bug class is often extremely difficult to accomplish as it often requires not only code changes but education of developers, explains Doug McKee, director of vulnerability research for Trellix. Like all bug classes, unless a mitigation is put into place which would eliminate the entire class, it would be expected that more similar vulnerabilities would be found in the future.
The findings are another puncture wound in the perception that Apple devices are somehow inherently more secure than PCs or Android devices.
Since the first version of iOS on the original iPhone, Emmitt explained, Apple has
enforced careful restrictions
on the software that can run on their mobile devices.
The devices do this with code signing. Functioning somewhat like a bouncer at a club, iPhone only allows an application to run if it has been cryptographically signed by a trusted developer. If any entity — a developer, hacker, etc. — wishes to run code on the machine, but theyre not on the list, theyll be shut out. And as macOS has continually adopted more features of iOS, Emmitt noted, it has also come to enforce code signing more strictly.
As a result of its strict policies, Apple has earned a reputation in some corners for being particularly cyber secure. Yet that extra stringency can only extend so far.
I think that there is a misconception when it comes to Apple devices, says Mike Burch, director of application security for Security Journey. The assumption by the public is that they are more secure than other systems. It is true that Apple has
many security features
and is more stringent about what applications it allows on its devices. Still, they are just as susceptible to vulnerabilities being introduced to their devices as any other provider.
Tags:
New Class of Bugs in Apple Devices Opens the Door to Complete Takeover