Apple recently revised its security advisories to include three new vulnerabilities that affect iOS, iPadOS, and macOS. The medium to high-severity vulnerabilities was patched in iOS 16.3, iPadOS 16.3, and macOS Ventura 13.2, which were released on January 23, 2023.
The first vulnerability is a race condition in the Crash Reporter component (CVE-2023-23520) that allows a malicious actor to read arbitrary files as root. Apple resolved the issue with additional validation.
The other two vulnerabilities (CVE-2023-23530 and CVE-2023-23531) were discovered by Trellix researcher Austin Emmitt and are located in the Foundation framework. These vulnerabilities could be used to execute arbitrary code and bypass mitigations that Apple put in place to address zero-click exploits. Trellix categorized the vulnerabilities as a "new class of bugs that allow bypassing code signing to execute arbitrary code in the context of several platform applications, leading to escalation of privileges and sandbox escape on both macOS and iOS."
The exploitation of the flaws could allow a threat actor to break out of the sandbox and execute malicious code with elevated permissions, potentially giving access to sensitive data such as the calendar, address book, messages, location data, call history, camera, microphone, and photos. In addition, the vulnerabilities could be abused to install arbitrary applications or even wipe the device. However, exploiting the flaws requires an attacker to have already obtained an initial foothold in the device.
Emmitt noted that "the vulnerabilities above represent a significant breach of the security model of macOS and iOS which relies on individual applications having fine-grained access to the subset of resources they need and querying higher privileged services to get anything else."
In conclusion, Apple has addressed these vulnerabilities in its latest updates, and users are advised to update their devices to the latest versions to ensure their security.
Thank you for reading our blog today. We hope you found the information helpful and informative. If you enjoyed this blog, follow us on Twitter, Instagram, Linkedin, GitHub, Website, and Youtube for more exciting content and updates. If you have any questions or comments, please feel free to reach out to us. We would love to hear from you. Don't forget to share this with your friends and family who may also find this information useful. Thank you for your support and stay tuned for more!