‘New class of bugs’ in Apple devices opens the door to complete takeover

A new class of bugs in Apple’s iOS, iPadOS, and macOS has been uncovered, researchers say, that could allow an attacker to escalate privileges and make off with everything on a targeted device.

This new class could “allow bypassing code signing to execute arbitrary code in the context of several platform applications,” Trellix researcher Austin Emmitt wrote in a blog post on Feb. 21, “leading to escalation of privileges and sandbox escape on both macOS and iOS.”

Were an attacker to exploit these vulnerabilities, they could potentially gain access to a victim’s photos, messages, call history, location data, and all kinds of other sensitive data, even the device’s microphone and camera. They could also use their access to wipe a device altogether.

The vulnerabilities in this class range from medium to high severity, with CVSS ratings between 5.1 and 7.1. Apple grouped them into two CVEs: CVE-2023-23530 and CVE-2023-23531. There’s no indication that they’ve been exploited in the wild.

NSPredicate: A Fresh Cyberattack Vector

The cyber failure in this case arises from NSPredicate, a class that enables app developers to filter lists of objects on a device. This “innocent-looking class,” as Emmitt put it, is much deeper than it may appear at first glance. “In reality, the syntax of NSPredicate is a full scripting language.”

In other words, through NSPredicate, “the ability to dynamically generate and run code on iOS had been an official feature this whole time,” he explained.

In one proof-of-concept, Trellix found that an attacker could use NSPredicate to execute code in “coreduetd” or “contextstored,” root-level processes that allows entryway into parts of the machine such as the calendar, address book, and photos.

In another case, the researchers found an NSPredicate vulnerability in the UIKitCore framework on the iPad. Here, a malicious app would be able to execute code inside SpringBoard, the app that manages the device’s home screen. Getting into SpringBoard could cause any number of compromises to just about any kind of data a user stores on the phone, or allow an attacker to simply erase the device altogether.

To read the complete article, visit Dark Reading.