Lean Geek

New details emerge about a ‘big new class of bugs’ affecting iPhones and Macs End-shutdown

When you updated your iPhone to iOS 16.3 last month, you got a few new features, including support for the new HomePod and a dozen security updates. Turns out there were actually 15 security updates; Apple simply didn’t tell us about three of them until this week.

It’s unclear why Apple didn’t disclose the updates, which were also part of macOS 13.2, but Apple says it “does not disclose, discuss, or confirm security issues until an investigation has been conducted and patches or releases are available.” Apple also revealed a previously undisclosed security patch in iOS 16.3.1 and macOS 13.2.1 this week. Here are the details of the three fixes:

accident report

  • Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later; macOS Ventura
  • Impact: A user may be able to read arbitrary files as root
  • Description: Addressed a race condition with further validation.
  • CVE-2023-23520: cees elzinga

Base

  • Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later; macOS Ventura
  • Impact: An application can execute arbitrary code outside of its sandbox or with certain elevated privileges
  • Description: The problem was fixed by improving memory handling.
  • CVE-2023-23530: Austin Emmitt, Senior Security Researcher at Trellix ARC

Base

  • Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later; macOS Ventura
  • Impact: An application can execute arbitrary code outside of its sandbox or with certain elevated privileges
  • Description: The problem was fixed by improving memory handling.
  • CVE-2023-23531: Austin Emmitt, Senior Security Researcher at Trellix ARC

In a blog post, Trellix described the Foundation’s flaw findings, which include “a large new class of bugs that allow code signing bypasses to execute arbitrary code in the context of cross-platform applications, thereby leads to privilege escalation and sandbox escape on both. macOS and iOS”. The bug stems from the FORCEDENTRY Sandbox Escape flaw call that exploited Apple’s NSPredicate class and was patched in September. According to Trellix, the discovery of the original vulnerability “opened up a wide range of potential vulnerabilities that we are still exploring.”

As the researchers explain, “an attacker running code in a process with the appropriate rights, such as Messages or Safari, can send a malicious NSPredicate and execute code with the privileges of this process. This process runs as root on macOS and gives the attacker access to the user’s calendar, address book, and photos.”

The company says the vulnerabilities “represent a significant breach of the macOS and iOS security model, which relies on individual apps having fine-grained access to the subset of resources they need and querying the highest privileged services for anything else.” .

If you haven’t updated to iOS 16.3, Apple is no longer signing you, which means you’ll have to update to iOS 16.3.1, which will include iOS 16.3 fixes and features.

Update 02/21: Background added from a Trellix blog post.

Marvin Jackson

, , , , , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *