'New Class of Bugs' in Apple Devices Opens the Door to Complete Takeover

A new class of bugs in Apple’s iOS, iPadOS, and macOS has been uncovered, researchers say, that could allow an attacker to escalate privileges and make off with everything on a targeted device.

This new class could “allow bypassing code signing to execute arbitrary code in the context of several platform applications,” Trellix researcher Austin Emmitt wrote in a blog post on Feb. 21, “leading to escalation of privileges and sandbox escape on both macOS and iOS.”

Were an attacker to exploit these vulnerabilities, they could potentially gain access to a victim’s photos, messages, call history, location data, and all kinds of other sensitive data, even the device’s microphone and camera. They could also use their access to wipe a device altogether.

The vulnerabilities in this class range from medium to high severity, with CVSS ratings between 5.1 and 7.1. Apple grouped them into two CVEs: CVE-2023-23530 and CVE-2023-23531. There’s no indication that they’ve been exploited in the wild.

NSPredicate: A Fresh Cyberattack Vector

The cyber failure in this case arises from NSPredicate, a class that enables app developers to filter lists of objects on a device. This “innocent-looking class,” as Emmitt put it, is much deeper than it may appear at first glance. “In reality, the syntax of NSPredicate is a full scripting language.”

In other words, through NSPredicate, “the ability to dynamically generate and run code on iOS had been an official feature this whole time,” he explained.

In one proof-of-concept, Trellix found that an attacker could use NSPredicate to execute code in “coreduetd” or “contextstored,” root-level processes that allows entryway into parts of the machine such as the calendar, address book, and photos.

In another case, the researchers found an NSPredicate vulnerability in the UIKitCore framework on the iPad. Here, a malicious app would be able to execute code inside SpringBoard, the app that manages the device’s home screen. Getting into SpringBoard could cause any number of compromises to just about any kind of data a user stores on the phone, or allow an attacker to simply erase the device altogether.

The silver lining for this new class of vulnerabilities is that they require an attacker already to have access to a target device. Gaining access is typically the easy part, with methods like phishing and other social engineering being so widely effective, but it also means there are steps anybody can take to harden their defenses.

“Individuals should continue to stay vigilant against social engineering and phishing attacks,” McKee says, “while also ensuring they only install applications from a known trusted source. Businesses are encouraged to ensure they are doing the proper product security testing on any third-party applications they use in their infrastructure and are monitoring device logs for any suspicious or unusual activity.”

Patching Might Not Be the End of the Story

If they haven’t already, Apple users should update their system software, as the newest versions include fixes for the vulnerabilities so described. That doesn’t mean, however, that vulnerabilities of this kind won’t pop up again.

Emmitt highlighted in the blog post how NSPredicate had already been exposed by a security researcher back in 2019, then exploited by NSO Group in 2021, in an espionage attack targeting a Saudi activist. Apple attempted to close the hole but evidently didn’t finish the job, paving the way for the new discoveries.

“Elimination of a bug class is often extremely difficult to accomplish as it often requires not only code changes but education of developers,” explains Doug McKee, director of vulnerability research for Trellix. “Like all bug classes, unless a mitigation is put into place which would eliminate the entire class, it would be expected that more similar vulnerabilities would be found in the future.”

The Myth of Apple’s Superior Security?

The findings are another puncture wound in the perception that Apple devices are somehow inherently more secure than PCs or Android devices.

“Since the first version of iOS on the original iPhone,” Emmitt explained, “Apple has enforced careful restrictions on the software that can run on their mobile devices.”

The devices do this with code signing. Functioning somewhat like a bouncer at a club, iPhone only allows an application to run if it has been cryptographically signed by a trusted developer. If any entity — a developer, hacker, etc. — wishes to run code on the machine, but they’re not “on the list,” they’ll be shut out. And “as macOS has continually adopted more features of iOS,” Emmitt noted, “it has also come to enforce code signing more strictly.”

As a result of its strict policies, Apple has earned a reputation in some corners for being particularly cyber secure. Yet that extra stringency can only extend so far.

“I think that there is a misconception when it comes to Apple devices,” says Mike Burch, director of application security for Security Journey. “The assumption by the public is that they are more secure than other systems. It is true that Apple has many security features and is more stringent about what applications it allows on its devices. Still, they are just as susceptible to vulnerabilities being introduced to their devices as any other provider.”