Researchers have shared their findings regarding six vulnerabilities on macOS and iOS and a new bug class.
The new class of privilege escalation bugs is based on the ForcedEntry attack, which abused a feature of macOS and iOS to deploy the NSO Group’s mobile Pegasus malware. Apple’s mitigation put in place following the discovery of ForcedEntry was insufficient to prevent several related attacks.
The bug class contains numerous zero-day vulnerabilities like the ones exploited in the attack, with CVSS scores between 5.1 and 7.1.
The vulnerabilities lead to a significant breach of the security model of macOS and iOS which relies on individual applications having fine-grained access to the subset of resources they need and querying higher privileged services.
These flaws affect access to SMS and iMessage, as well as location data, photos, and videos. Threat actors could use these bugs to delete specific messages, call history, and voicemails, and wipe a device’s internal storage. These bugs were disclosed to Apple and fixed with macOS 13.2 and iOS 16.3, respectively.
Responding quickly to inbound security disclosures is critically important. Organizations,should encourage security researchers to submit issues by providing incentives, typically called bug bounties. Engaging the security research community is an important component of a comprehensive software security initiative. This security advisory was released