A NEW class of bugs that can affect Apple’s iPhone and Mac operating systems have come to light which, if exploited, could allow an attacker to access users’ messages, photos, and call history.

According to a Wired.com report, researchers from security firm Trellix’s Advanced Research Centre have published details of a bug that could allow hackers to break out of Apple’s security protections and run their own unauthorised code.

Apple has been strengthening the security systems on iPhones and Macs for years but has yet not become immune from such issues.

The team says the security flaws they found bypass protections Apple had put in place to protect users.

“The vulnerabilities range from medium to high severity with CVSS scores between 5.1 and 7.1. These issues could be used by malicious applications and exploits to gain access to sensitive information such as a user’s messages, location data, call history, and photos,” a Trellix statement revealed.

“The key thing here is the vulnerabilities break Apple’s security model at a fundamental level,” said Doug McKee, director of vulnerability research at Trellix.

The new class of bugs “brings a lens to an area that people haven’t been researching before because they didn’t know it existed,” Mr McKee said.

He pointed out that finding the new bug class meant researchers and Apple will potentially be able to find more similar bugs and improve overall security protections.

Apple has fixed the bugs the company found, and no evidence has been found that they were exploited.

The findings by Trellix build on previous work by Google and Citizen Lab, a University of Toronto research facility. In 2021, the two organizations discovered ForcedEntry, a zero-click, zero-day iOS exploit that was linked to Israeli spyware maker NSO Group.

Analysis of ForcedEntry showed two key parts. The first tricked an iPhone into opening a malicious PDF that was disguised as a GIF. The second part allowed attackers to escape Apple’s sandbox, which keeps apps from accessing data stored by other apps and from accessing other parts of the device.

Trellix’s research, by senior vulnerability researcher Austin Emmitt, focuses on that second part and ultimately used the flaws he found to bypass the sandbox.

Mr Emmitt had found a class of vulnerabilities that revolved around NSPredicate, a tool that can filter code within Apple’s systems.

Mr McKee said that the bugs within this new NSPredicate class existed in multiple places across macOS and iOS, including within Springboard, the app that manages the iPhone’s home screen and can access location data, photos, and the camera.

Once the bugs are exploited, the attacker can access areas that are meant to be closed off.

Any attacker trying to exploit these bugs would require an initial foothold into a device and would need to have found a way in before being able to abuse the NSPredicate system.

The existence of a vulnerability doesn’t mean that it has been exploited, the report said.

Apple fixed the NSPredicate vulnerabilities found by Trellix in its macOS 13.2 and iOS 16.3 software updates, which were released in January. It has also issued CVEs for the vulnerabilities that were discovered: CVE-2023-23530 and CVE-2023-23531.

Since the company addressed these vulnerabilities, it has also released newer versions of macOS and iOS. These included security fixes for a bug that was being exploited on people’s devices.

Published in Dawn, February 22nd, 2023

Opinion

Editorial

Judiciary’s SOS
Updated 28 Mar, 2024

Judiciary’s SOS

The ball is now in CJP Isa’s court, and he will feel pressure to take action.
Data protection
28 Mar, 2024

Data protection

WHAT do we want? Data protection laws. When do we want them? Immediately. Without delay, if we are to prevent ...
Selling humans
28 Mar, 2024

Selling humans

HUMAN traders feed off economic distress; they peddle promises of a better life to the impoverished who, mired in...
New terror wave
Updated 27 Mar, 2024

New terror wave

The time has come for decisive government action against militancy.
Development costs
27 Mar, 2024

Development costs

A HEFTY escalation of 30pc in the cost of ongoing federal development schemes is one of the many decisions where the...
Aitchison controversy
Updated 27 Mar, 2024

Aitchison controversy

It is hoped that higher authorities realise that politics and nepotism have no place in schools.