Researchers claim to have discovered a "new class" of vulnerabilities that could allow attackers to circumvent Apple's security measures in iOS and macOS to access users' sensitive data.



Trellix's Advanced Research Center published details this week of the privilege escalation vulnerabilities affecting both iPhones and Macs, which allow someone to gain elevated access to the system. Trellix warned that the class of bugs, which range in severity from medium to high, could allow malicious apps to escape their protective "sandbox" and access sensitive information on someone's device, such as messages, location data, call history, and photos, if left unpatched. Messages, location data, call history, and photos on someone's device are all examples of information on a device.

Trellix's findings build on previous research from Google and Citizen Lab, which discovered a new zero-day exploit, called Forced Entry in 2021 and used it by Israeli spyware maker NSO Group to remotely and stealthily hack into iPhones at the request of its government clients. To stop the exploitation of the exploit, Apple strengthened its device security protections by adding new code-signing mitigations, which cryptographically verify that the device's software is trusted and hasn't been modified.

However, Trellix stated this week that Apple's mitigations are insufficient to prevent similar attacks.

Trellix stated in a blog post that the new bugs involve NSPredicate, a tool that allows developers to filter code that Apple tightened restrictions around following the ForcedEntry bug via a protocol called NSPredicateVisitor. However, Trellix stated that nearly every implementation of NSPredicateVisitor "could be bypassed." According to TechCrunch, Trellix's research shows that iOS and macOS are "not inherently more secure" than other operating systems.

While there is no evidence that these vulnerabilities have been actively exploited, Trellix tells TechCrunch that its research shows that iOS and macOS are "not inherently more secure" than other operating systems.

"The vulnerabilities discovered this week by our team have fundamentally broken their security model," said Doug McKee, Trellix's director of Vulnerability Research, adding that the bugs could have exposed affected Apple devices to a wide range of attack vectors and made improper access to sensitive data easier. "These bugs essentially allow an attacker with low privileged code execution, i.e., basic macOS or iOS functions, to gain much higher privileges."

Trellix discovered vulnerabilities in Apple's macOS 13.2 and iOS 16.3 software updates, which were released in January. On Tuesday, Apple's security support documents were also updated to reflect the release of the new patches.

Will Strafach, a security researcher and founder of the Guardian firewall app, called the vulnerabilities "pretty clever," but warned that the average user can do little to protect themselves "other than staying vigilant about installing security updates."

 

And iOS and macOS security researcher Wojciech Regua told TechCrunch that while the vulnerabilities could be significant, more information is needed to determine the size of the attack surface in the absence of exploits.



Apple's code-signing measures, according to Jamf's Michael Covington, were "never intended to be a silver bullet or a lone solution" for protecting device data. "The vulnerabilities, while significant, demonstrate how layered defenses are critical to maintaining a good security posture," Covington said.

When contacted, Apple declined to comment on the record.