Apple Reports 3 New iPhone, iPad, and Mac Vulnerabilities

Apple has updated the security advisory it issued last month to add three new vulnerabilities that affect iOS, iPadOS, and macOS.

The first flaw (CVE-2023-23520) is a race condition in the Crash Reporter component that could allow a malicious actor to read arbitrary files as root. Apple stated that has addressed the issue with further validation.

The other two flaws, discovered by Trellix researcher Austin Emmitt, are in the Foundation framework (CVE-2023-23530 and CVE-2023-23531) and might be exploited to gain code execution.

“An app may be able to run arbitrary code outside of its sandbox or with certain elevated privileges,” Apple explained, adding that the concerns have been fixed with “better memory handling.”

The medium to high-severity vulnerabilities were patched in iOS 16.3, iPadOS 16.3, and macOS Sierra 13.2, all of which were released on January 23, 2023.

Apple discovered vulnerabilities on iPhone, iPad and Mac devices. (Image by: The Hacker News)

Trellix described the two holes as a “new class of issues that allow bypassing code signing to execute arbitrary code in the context of many platform programmes, resulting to privilege escalation and sandbox escape on both macOS and iOS.”

The issues also get beyond Apple’s mitigations for zero-click exploits like FORCEDENTRY, which was used by Israeli mercenary spyware vendor NSO Group to install Pegasus on targets’ devices.

As a result, a threat actor might exploit these flaws to escape the sandbox and run malicious code with elevated privileges, possibly providing access to the calendar, address book, messages, location data, call history, camera, microphone, and photographs.

Worryingly, the security flaws might be exploited to install arbitrary software or even delete the device. Nevertheless, in order to exploit the flaws, an attacker must first gain a footing in the system.

“An app may be able to run arbitrary code outside of its sandbox or with certain elevated privileges.”
– Apple

“The aforementioned vulnerabilities represent a severe violation of macOS and iOS’s security model, which relies on individual programmes having fine-grained access to the subset of resources they require and requesting higher privileged services for anything else,” Emmitt added.

Info source – The Hacker News

Select a plan

Monthly plan

Yearly plan

All plans include

Search for an article

Mysterious Chinese Hacking Group ‘Ghostemperor’ Resurfaces After Two Years

Understanding the South Thailand Insurgency: Key Insights

Why the Tension in South China Sea Claims

The Negative Impact of Social Media on Geopolitical Movements

Malaysia’s Death Penalty and Section 302: A Transformative Era

Special Flight Launched To Repatriate Malaysians From Bangladesh

China’s Investment In Sarawak And Its Implications

What Makes Malaysia Vulnerable To Cyber Attacks?

Chinese Central Bank To Boost Recovery With ‘Precise, Forceful’ Policy

Second-Quarter Malaysian Economy Grows 2.9pc

Khazanah Sells Discontinued KidZania Singapore

Indian rice prices rise as Asian nations prepare for El Nino

Fraudulent CrowdStrike Manual Distributes New Infostealer Malware

Von Der Leyen Vows To Combat Ransomware Attacks On EU Hospitals

GhostEmperor Resurfaces: Chinese Hacking Group Spotted After Two Years

The Negative Impact of Social Media on Geopolitical Movements

Malaysia Average Salary Insights: Fresh Graduates and Inflation

Just For Thought: Current Social Media Problem

PM Malaysia thanks student for bringing up restroom issue and pledges swift response

Italy Gives Palestine Children EUR 1.5 Million For Emergency Education

Israel’s Threat To Bomb Hospitals Defies Humanity, International Justice Must Prevail

Eight Wartime Rules For “Civilian Hackers” And Four State Obligations To Restrain Them

TikTok is collaborating with a local hospital to improve mental health resources for users

Menopause Symptoms: Can Certain Foods Help?