macOS & iOS bug could start a new wave of exploits

Apple is known to be extremely strict when it comes to code signing on iOS, with only apps cryptographically signed by a developer certificate trusted enough to run on the operating system. With macOS becoming more iOS-like, stricter enforcement of code signing has also been adopted for added security.

However, in a disclosure on Tuesday by security outfit Trellix, there is a "large new class of bugs" that an attacker could use to bypass code signing and allow the execution of code in macOS and iOS. This can lead to an escalation of privileges for the app and an escape from the sandbox.

Such code would theoretically have access to sensitive information stored on the device, such as message histories, location data, and images, among other items.

Initial discovery

The researchers behind the disclosure were intrigued by research from September 2021 by Citizen Lab, which detailed the "ForcedEntry" zero-click exploit for iOS that was used to infect an iPhone with Pegasus malware. After analyzing the details of a sandbox escape, Trellix was interested in how it could dynamically execute code in another process, which bypassed code signing.

Though Apple had removed features to allow an exploit to be used in this way, as well as adding new mitigations, the researchers found that the mitigations could be bypassed.

Specifically, an attacker would use unrestricted methods to empty a large denylist that prevented the use of specific classes and methods. With the lists empty, the attacker would be free to use previously-employed methods without the limitations in the way.

With this discovery, a "huge range of potential vulnerabilities" may have been opened up by using the technique, which the team is "still exploring."

Found vulnerabilities

The first vulnerability in the class to be discovered was in "coreduetd," a processes that monitors behavior of a device. By using code execution in a process with "proper entitlements" in Messages or Safari, a malicious "NSPredicate" could've been sent, with code executable with the privileges of the process.

As the process runs as root in macOS, that would grant the attacker access to the user's calendar, address book, and photos, Trellix claims.

A similar problem was discovered by attacking the "CoreDuet"-related "contextstored," with the use of a vulnerable XPC service that could execute code from a process that has more access to the device's features.

Both "appstored" daemons and "appstoreagent" on macOS had vulnerable XPC services, which could be used to exploit the same vulnerabilities. Ultimately, this could've led to the installation of "arbitrary applications, potentially even including system apps."

Trellix claims the vulnerabilities "represent a significant breach of the security model of macOS and iOS which relies on individual applications having fine-grained access to the subset of resources they need, and querying higher privileged services to get anything else."

Services accepting NSPredicate arguments but don't adequately check them can enable malicious actors to run code "to defeat process isolation and directly access far more resources than should be allowed."

How to protect yourself

Like many other situations where a vulnerability has been responsibly disclosed, a fix has already been applied to the operating systems. The issues were addressed with the release of macOS 13.2 and iOS 16.3.

"We would like to thank Apple for working quickly with Trellix to fix these issues," the firm's disclosure concludes.

In effect, all that's needed to plug the early vulnerability found is to update the operating systems to macOS 13.2, iOS and iPadOS 16.3, or later.

Updating operating systems should be performed regularly, or set to run automatically, simply because each typically includes security fixes, along with performance improvements and new features.

Given that the researchers are looking deeper into this sort of vulnerability, there may be more on the way. Keeping your operating system up to date may be one of the best things to do to mitigate them as they surface.