macOS & iOS bug could start a new wave of exploits

in macOS
While immediate issues arising from new class of bugs that can beat the strict code signing of macOS and iOS have been fixed, researchers are wary that there are more to come.

Apple is known to be extremely strict when it comes to code signing on iOS, with only apps cryptographically signed by a developer certificate trusted enough to run on the operating system. With macOS becoming more iOS-like, stricter enforcement of code signing has also been adopted for added security.

However, in a disclosure on Tuesday by security outfit Trellix, there is a "large new class of bugs" that an attacker could use to bypass code signing and allow the execution of code in macOS and iOS. This can lead to an escalation of privileges for the app and an escape from the sandbox.

Such code would theoretically have access to sensitive information stored on the device, such as message histories, location data, and images, among other items.

Initial discovery

The researchers behind the disclosure were intrigued by research from September 2021 by Citizen Lab, which detailed the "ForcedEntry" zero-click exploit for iOS that was used to infect an iPhone with Pegasus malware. After analyzing the details of a sandbox escape, Trellix was interested in how it could dynamically execute code in another process, which bypassed code signing.

Though Apple had removed features to allow an exploit to be used in this way, as well as adding new mitigations, the researchers found that the mitigations could be bypassed.

Specifically, an attacker would use unrestricted methods to empty a large denylist that prevented the use of specific classes and methods. With the lists empty, the attacker would be free to use previously-employed methods without the limitations in the way.

With this discovery, a "huge range of potential vulnerabilities" may have been opened up by using the technique, which the team is "still exploring."

Found vulnerabilities

The first vulnerability in the class to be discovered was in "coreduetd," a processes that monitors behavior of a device. By using code execution in a process with "proper entitlements" in Messages or Safari, a malicious "NSPredicate" could've been sent, with code executable with the privileges of the process.

As the process runs as root in macOS, that would grant the attacker access to the user's calendar, address book, and photos, Trellix claims.

A similar problem was discovered by attacking the "CoreDuet"-related "contextstored," with the use of a vulnerable XPC service that could execute code from a process that has more access to the device's features.

Both "appstored" daemons and "appstoreagent" on macOS had vulnerable XPC services, which could be used to exploit the same vulnerabilities. Ultimately, this could've led to the installation of "arbitrary applications, potentially even including system apps."

Trellix claims the vulnerabilities "represent a significant breach of the security model of macOS and iOS which relies on individual applications having fine-grained access to the subset of resources they need, and querying higher privileged services to get anything else."

Services accepting NSPredicate arguments but don't adequately check them can enable malicious actors to run code "to defeat process isolation and directly access far more resources than should be allowed."

How to protect yourself

Like many other situations where a vulnerability has been responsibly disclosed, a fix has already been applied to the operating systems. The issues were addressed with the release of macOS 13.2 and iOS 16.3.

"We would like to thank Apple for working quickly with Trellix to fix these issues," the firm's disclosure concludes.

In effect, all that's needed to plug the early vulnerability found is to update the operating systems to macOS 13.2, iOS and iPadOS 16.3, or later.

Updating operating systems should be performed regularly, or set to run automatically, simply because each typically includes security fixes, along with performance improvements and new features.

Given that the researchers are looking deeper into this sort of vulnerability, there may be more on the way. Keeping your operating system up to date may be one of the best things to do to mitigate them as they surface.

Read on AppleInsider


  • Reply 1 of 5
    lkrupplkrupp Posts: 10,557member
    Scary headline followed by “already fixed” How typical. Yet when Apple stops signing the unpatched version the “It’s mine and I can do whatever I want with it” wailing starts. Also typical. What a world.
    edited February 21 watto_cobrajony0
  • Reply 2 of 5
    larryjwlarryjw Posts: 1,024member
    I wonder if the general theory of undecidability would imply no program can be written to prevent all security exploits of the given program. 
  • Reply 3 of 5
    dewmedewme Posts: 5,135member
    lkrupp said:
    Scary headline followed by “already fixed” How typical. Yet when Apple stops signing the unpatched version the “It’s mine and I can do whatever I want with it” wailing starts. Also typical. What a world.
    I think AppleInsider adequately explains why they are bringing this to our attention even though the first known exploit using this kind of attack vector has been mitigated. 

    Every new type of exploit exposes a vulnerability that the developers of the system probably didn’t adequately consider beforehand. Where there is smoke there is fire and the attackers will most certainly look to find other attack vectors that potentially leverage the same kind of flaw in understanding that resulted in the already discovered exploit to exist. 

    I’ve frequently followed the same pattern when reviewing other people’s code for defects. If a developer injects a defect that’s associated with a misunderstood concept or flawed assumption it’s quite easy to find many other places in the same person’s code where the pattern repeats itself. 

    The vulnerabilities in the exploit described in this article seem to break the assumption that the certificate verification and revocation process represented a stronger layer of protection than it actually did. Someone learned how to bypass the assumption of invulnerability, kind of like how the Maginot Line proved to be ineffective in WW2. 
  • Reply 4 of 5
    Apple has fixed it, however there are many people who will not upgrade and there are people who cannot upgrade. 
    watto_cobraking editor the grate
  • Reply 5 of 5
    chasmchasm Posts: 3,070member
    Apple has fixed it, however there are many people who will not upgrade and there are people who cannot upgrade. 
    Apple has been known to issue security fixes for the non-current OS versions for a minimum of three years, and as we’ve recently seen it has gone well beyond that in recent patches for devices up to seven years old.

    People who don’t upgrade when security fixes become available are asking for trouble, and should take their machines offline when it has become clear that no more security fixes are coming, as I’ve done with my 2012 MBP (which I still use occasionally for old software stuff).
Sign In or Register to comment.