A NEW class of bugs that can affect Apple’s iPhone and Mac operating systems have come to light which, if exploited, could allow an attacker to access users’ messages, photos, and call history.

According to a Wired.com report, researchers from security firm Trellix’s Advanced Research Centre have published details of a bug that could allow hackers to break out of Apple’s security protections and run their own unauthorised code.

Apple has been strengthening the security systems on iPhones and Macs for years but has yet not become immune from such issues.

The team says the security flaws they found bypass protections Apple had put in place to protect users.

“The vulnerabilities range from medium to high severity with CVSS scores between 5.1 and 7.1. These issues could be used by malicious applications and exploits to gain access to sensitive information such as a user’s messages, location data, call history, and photos,” a Trellix statement revealed.

“The key thing here is the vulnerabilities break Apple’s security model at a fundamental level,” said Doug McKee, director of vulnerability research at Trellix.

The new class of bugs “brings a lens to an area that people haven’t been researching before because they didn’t know it existed,” Mr McKee said.

He pointed out that finding the new bug class meant researchers and Apple will potentially be able to find more similar bugs and improve overall security protections.

Apple has fixed the bugs the company found, and no evidence has been found that they were exploited.

The findings by Trellix build on previous work by Google and Citizen Lab, a University of Toronto research facility. In 2021, the two organizations discovered ForcedEntry, a zero-click, zero-day iOS exploit that was linked to Israeli spyware maker NSO Group.

Analysis of ForcedEntry showed two key parts. The first tricked an iPhone into opening a malicious PDF that was disguised as a GIF. The second part allowed attackers to escape Apple’s sandbox, which keeps apps from accessing data stored by other apps and from accessing other parts of the device.

Trellix’s research, by senior vulnerability researcher Austin Emmitt, focuses on that second part and ultimately used the flaws he found to bypass the sandbox.

Mr Emmitt had found a class of vulnerabilities that revolved around NSPredicate, a tool that can filter code within Apple’s systems.

Mr McKee said that the bugs within this new NSPredicate class existed in multiple places across macOS and iOS, including within Springboard, the app that manages the iPhone’s home screen and can access location data, photos, and the camera.

Once the bugs are exploited, the attacker can access areas that are meant to be closed off.

Any attacker trying to exploit these bugs would require an initial foothold into a device and would need to have found a way in before being able to abuse the NSPredicate system.

The existence of a vulnerability doesn’t mean that it has been exploited, the report said.

Apple fixed the NSPredicate vulnerabilities found by Trellix in its macOS 13.2 and iOS 16.3 software updates, which were released in January. It has also issued CVEs for the vulnerabilities that were discovered: CVE-2023-23530 and CVE-2023-23531.

Since the company addressed these vulnerabilities, it has also released newer versions of macOS and iOS. These included security fixes for a bug that was being exploited on people’s devices.

Published in Dawn, February 22nd, 2023