Apple Updates Security Advisories to Add New iOS and macOS Vulnerabilities
February 21, 2023
Apple has updated its security advisories to add three new iOS and macOS vulnerabilities, including ones belonging to a new class of bugs. CVE-2023-23520 is a race condition affecting the crash reporter component, which can allow an attacker to read arbitrary files as root. The other two security holes, tracked as CVE-2023-23530 and CVE-2023-23531, can allow an attacker to "execute arbitrary code out of its sandbox or with certain elevated privileges", according to Apple. These vulnerabilities were reported to Apple by extended detection and response (XDR) company Trellix, who said they have opened a "huge range of potential vulnerabilities" that its researchers are currently investigating. The techniques used to exploit these vulnerabilities were inspired by research conducted by an iOS security researcher known as CodeColorist in 2019 and 2020, and were used in 2021 to deliver Pegasus spyware to iPhones. Apple has taken steps to prevent exploitation, but Trellix researchers discovered that the vendor’s mitigations could be bypassed. As Trellix researcher, CodeColorist, noted, "An attacker who has access to the targeted system can exploit these vulnerabilities to defeat process isolation on iOS and macOS."
Like what you see?
Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.