• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

My TechDecisions

  • Best of Tech Decisions
  • Topics
    • Video
    • Audio
    • Mobility
    • Unified Communications
    • IT Infrastructure
    • Network Security
    • Physical Security
    • Facility
    • Compliance
  • RFP Resources
  • Resources
  • Podcasts
  • Project of the Week
  • About Us
    SEARCH
IT Infrastructure, Network Security, News

These macOS, iOS Vulnerabilities Could Allow Attackers to Access Messages, Photos & Call History

Cybersecurity firm Trellix has discovered new privilege escalation bugs in macOS and iOS that could give hackers access to sensitive data.

February 21, 2023 Zachary Comeau Leave a Comment

iOS macOS vulnerabilities
stock.adobe.com

Cybersecurity firm Trellix says it has discovered a new class of privilege escalation bugs in macOS and iOS that could allow attackers to bypass code signing to execute arbitrary code and gain access to messages, location data, call history and photos.

According to the firm, this could allow sandbox escape on both macOS and iOS. The vulnerabilities range from medium to high severity, with CVSS scores between 5.1 and 7.1. Attackers could use these exploits–which have been fixed in recent updates–to gain access to sensitive information such as a user’s messages, location data, call history and photos.

In a research blog, Trellix details a 2021 bug that allowed for 0-click remote code execution that was used to infect a Saudi activist’s iPhone with the Pegasus malware. The exploits included the initial exploitation of PDF parsing code and sandbox escape.

“While much attention was given to the first exploit, we were much more interested in the second as it described a way to dynamically execute arbitrary code in another process which completely sidestepped code signing,” the company’s researchers say.

Trellix describes that exploit as such:

It involved NSPredicate, an innocent looking class that allows developers to filter lists of arbitrary objects. In reality the syntax of NSPredicate is a full scripting language. The ability to dynamically generate and run code on iOS had been an official feature this whole time. However, this was just the beginning, as this feature revealed an entirely new bug class that completely breaks inter-process security in macOS and iOS.

However, this was not the first example, as a researcher in 2019 discovered how to exploit the mechanics of NSPredicate to run arbitrary code.

The gist of this research was that NSExpression objects, the building blocks of an NSPredicate, could be used to call arbitrary methods on arbitrary classes and objects. Using existing classes in Apple’s private frameworks, it was possible to bypass pointer authentication (PAC) and every other mitigation to call any function. However, the post also describes ways in which Apple has mitigated the dangerousness of these objects, namely through a protocol called NSPredicateVisitor. Classes that implement this protocol can be used to check every expression to make sure they were safe to evaluate. CodeColorist notes at the end of his post that “Without a proper validation, it could be an inter-process attack surface to bypass TCC.”

This led to the discovery of a “large new class of bugs” that allow bypassing code signing to execute arbitrary code in the context of several applications, leading to escalation of privileges and sandbox escape on both operating systems.

Apple has removed features used in previous exploits and added new mitigations to restrict what could be done with NSPredicate using large denylist to prevent the use of certain classes and methods, but Trellix discovered that the new mitigations could be bypassed.

By using methods that had not been restricted it was possible to empty these lists, enabling all the same methods that had been available before. This bypass was assigned CVE-2023-23530 by Apple. Even more significantly we discovered that nearly every implementation of NSPredicateVisitor could be bypassed. There are many processes with XPC Services (the primary method of high-level inter-process communication on macOS and iOS) that accept NSPredicate arguments and use NSPredicateVisitor to ensure that the provided expression is safe to evaluate. While there is no single implementation as nearly every process has its own version, most use the “expressionType” property to filter out function expressions. The issues reside in the fact that this property can be set in the sending process and is trusted to be accurate by the receiver, rendering the checks useless. This bypass was assigned CVE-2023-23531. These two techniques opened a huge range of potential vulnerabilities that we are still exploring.

According to Trellix, an attacker could use the bugs to access a user’s calendar, address book and photos, as well as install arbitrary applications.

Other vulnerabilities could allow an attacker to read potentially sensitive information from the syslog, or exploit an NSPredicate vulnerability in UIKitCore on the iPad. Attackers could use to achieve code execution inside SpringBoard, a highly privileged app that can access location data, camera, microphone, call history, photos and other sensitive data, as well as wipe the device.

Apple addressed these issues with the release of macOS 13.2 and iOS 16.3, according to the Trellix blog.

If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!

Tagged With: Apple, Trellix, Vulnerabilities

Related Content:

  • Cloud, SASE, Aryaka How the Cloud is Redefining Media Production and…
  • Singlewire Software mass notification interview Singlewire Software on Mass Notification Solutions
  • URI catchbox 1 Catchbox Plus: The Mic Solution That Finally Gave…
  • Engaging virtual meeting with diverse participants discussing creative ideas in a bright office space during daylight hours Diversified Survey: Workplace AV Tech is Falling Short,…

Free downloadable guide you may like:

  • Practical Design Guide for Office SpacesPractical Design Guide for Office Spaces

    Recent Gartner research shows that workers prefer to return to the office for in-person meetings for relevant milestones, as well as for face-to-face time with co-workers. When designing the office spaces — and meeting spaces in particular — enabling that connection between co-workers is crucial. But introducing the right collaboration technology in meeting spaces can […]

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Latest Downloads

Practical Design Guide for Office Spaces
Practical Design Guide for Office Spaces

Recent Gartner research shows that workers prefer to return to the office for in-person meetings for relevant milestones, as well as for face-to-fa...

New Camera Can Transform Your Live Production Workflow
New Camera System Can Transform Your Live Production Workflow

Sony's HXC-FZ90 studio camera system combines flexibility and exceptional image quality with entry-level pricing.

Creating Great User Experience and Ultimate Flexibility with Clickshare

Working and collaborating in any office environment today should be meaningful, as workers today go to office for very specific reasons. When desig...

View All Downloads

Would you like your latest project featured on TechDecisions as Project of the Week?

Apply Today!

More from Our Sister Publications

Get the latest news about AV integrators and Security installers from our sister publications:

Commercial IntegratorSecurity Sales

AV-iQ

Footer

TechDecisions

  • Home
  • Welcome to TechDecisions
  • Contact Us
  • Comment Guidelines
  • RSS Feeds
  • Twitter
  • Facebook
  • Linkedin

Free Technology Guides

FREE Downloadable resources from TechDecisions provide timely insight into the issues that IT, A/V, and Security end-users, managers, and decision makers are facing in commercial, corporate, education, institutional, and other vertical markets

View all Guides
TD Project of the Week

Get your latest project featured on TechDecisions Project of the Week. Submit your work once and it will be eligible for all upcoming weeks.

Enter Today!
Emerald Logo
ABOUTCAREERSAUTHORIZED SERVICE PROVIDERSYour Privacy ChoicesTERMS OF USEPRIVACY POLICY

© 2025 Emerald X, LLC. All rights reserved.