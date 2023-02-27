Trellix Advanced Research Centre has identified a new class of bugs in iOS and MacOS that could have allowed malicious actors to gain elevated access to data and functions on iPhones and Macs.

The discovery comes after Google and Citizen Lab identified a zero-day exploit called ForcedEntry.

That vulnerability was infamously used by Israeli spyware provider NSO Group to secretly and remotely hack the iPhones of people that the company’s government clients wanted to snoop on.

In response, Apple added new code-signing mitigations that cryptographically verify if a device’s software is unmodified.

The hackers had abused NSPredicate — a tool that lets developers filter code — to break Apple’s security protections and run their own malicious code.

The company developed the NSPredicateVisitor protocol that added a large denylist to prevent attackers from using certain classes and methods to break security.

But Trellix said it found that nearly every implementation of NSPredicateVisitor could be bypassed.

“By using methods that had not been restricted it was possible to empty these lists, enabling all the same methods that had been available before,” the researchers said.

It subsequently identified vulnerabilities in several processes that could be exploited if an attacker bypassed NSPredicateVisitor.

Trellix’s director of vulnerability research, Doug McKee, told TechCrunch that the discovery could have severe ramifications.

“The vulnerabilities uncovered by our team this week have fundamentally broken their security model,” said McKee.

“These bugs essentially allow an attacker that has achieved low privileged code execution, i.e., basic functions on macOS or iOS, to gain much higher privileges.”

He explained that although there was no evidence of vulnerabilities being exploited in the wild, the bugs could have exposed affected Apple devices to a wide range of attack vectors and made it easier for improper access to sensitive data.

Apple patched the bugs that Trellix identified with the iOS 16.3 and macOS 13.2 updates, which rolled out in January 2023.

