New Privilege Escalation Bug Class Found on macOS and iOS

Written by

Cybersecurity researchers from Trellix have shared their findings regarding six vulnerabilities on macOS and iOS and a new bug class.

Writing in an advisory published earlier today, the company said the new class of privilege escalation bugs is based on the ForcedEntry attack, which abused a feature of macOS and iOS to deploy the NSO Group's mobile Pegasus malware.

According to the technical write-up, the mitigations Apple put in place following the discovery of ForcedEntry were insufficient to prevent several related attacks.

In particular, the new bug class contains numerous zero-day vulnerabilities similar to the ones exploited in the aforementioned attack, with CVSS scores between 5.1 and 7.1.

"The vulnerabilities above represent a significant breach of the security model of macOS and iOS which relies on individual applications having fine-grained access to the subset of resources they need and querying higher privileged services to get anything else," explained Austin Emmitt, Trellix senior vulnerability researcher.

The discovered flaws affected access to SMS and iMessage, as well as location data, photos and videos. Threat actors could use these bugs to delete specific messages, call history or voicemail or wipe a device's internal storage. These bugs were disclosed to Apple and fixed with macOS 13.2 and iOS 16.3, respectively.

"Trellix's disclosures of privilege escalation vulnerabilities affecting macOS and iOS illustrate a fruitful interplay between security researchers and Apple," explained Jonathan Knudsen, head of global research at the Synopsys Cybersecurity Research Center.

"Software must be built with security in mind at every phase, with the goal of finding and eliminating as many vulnerabilities as possible. Even when you do everything right, however, some vulnerabilities can still be present in the released software," Knudsen told Infosecurity in an email.

The security expert also highlighted how security researchers might discover additional vulnerabilities post-release.

"Responding quickly to inbound security disclosures is critically important. Some organizations, including Apple, encourage security researchers to submit issues by providing incentives, typically called bug bounties," Knudsen added. "Recognizing and engaging the security research community is an important component of a comprehensive software security initiative."

The Trellix advisory comes weeks after Sophos researchers claimed to have discovered the first "cryptorom" scam applications on Apple's App Store.

What’s hot on Infosecurity Magazine?