Experts found a large new class of bugs ‘class’ in Apple devices

Tech giant Apple discloses three new vulnerabilities affecting its iOS, iPadOS, and macOS operating systems.

Apple updated its advisories by adding three new vulnerabilities, tracked as CVE-2023-23520, CVE-2023-23530 and CVE-2023-23531, that affect iOS, iPadOS, and macOS.

An attacker can trigger the CVE-2023-23530 flaw to execute arbitrary code out of its sandbox or with certain elevated privileges. The vulnerability resides in the Foundation framework, it was reported by Austin Emmitt from Trellix ARC.

The company addressed the issue with the release of version iOS 16.3, iPadOS 16.3, and macOS Ventura 13.2, which improved memory handling.

“An app may be able to execute arbitrary code out of its sandbox or with certain elevated privileges.” reads the advisory. “The issue was addressed with improved memory handling.”

Emmitt also discovered a similar issue, tracked as CVE-2023-23531, in the Foundation component.

“The Trellix Advanced Research Center vulnerability team has discovered a large new class of bugs that allow bypassing code signing to execute arbitrary code in the context of several platform applications, leading to escalation of privileges and sandbox escape on both macOS and iOS.” reads the post published by Trellix. “The vulnerabilities range from medium to high severity with CVSS scores between 5.1 and 7.1.”

Trellix researchers pointed out the vulnerabilities can be used by malicious applications and exploits to gain access to sensitive information of the vulnerable devices.

The experts reported that these flaws can be exploited to bypass mitigations implemented by Apple to neutralize zero-click exploits like FORCEDENTRY. These exploits can be included in surveillance software developed by surveillance firms like the NSO Group, which relied on it to deploy their Pegasus spyware.

“The vulnerabilities above represent a significant breach of the security model of macOS and iOS which relies on individual applications having fine-grained access to the subset of resources they need and querying higher privileged services to get anything else.” concludes the Trellix’s report.

The flaws can allow attackers to access users’ messages, location data, call history, and photos.

The third vulnerability, tracked as CVE-2023-23520, is a race condition in the Crash Reporter component that can be exploited by a malicious actor to read arbitrary files as root. Apple addressed the vulnerability with additional validation.

Cees Elzinga reported the vulnerability.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Apple)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.