When you updated your iPhone to iOS 16.3 last month, you got a few new features, including support for the new HomePod and a dozen security updates. Turns out there were actually 15 security updates – Apple didn’t tell us about three until this week.
It’s unclear why Apple didn’t disclose the updates, which were also part of macOS 13.2, but Apple says it “does not disclose, discuss, or confirm security issues until an investigation has been completed. has not taken place and patches or releases are not available”. Apple also this week revealed an undisclosed security patch in iOS 16.3.1 and macOS 13.2.1. Here are the details of the three fixes:
Reporter of accident
- Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later; macOS Ventura
- Impact: A user may be able to read arbitrary files as root
- Description: A race condition was handled with additional validation.
- CVE-2023-23520: Cees Elzinga
Foundation
- Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later; macOS Ventura
- Impact: An application may be able to execute arbitrary code from its sandbox or with certain elevated privileges
- Description: The issue was addressed through improved memory management.
- CVE-2023-23530: Austin Emmitt, Principal Security Researcher at Trellix ARC
Foundation
- Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later; macOS Ventura
- Impact: An application may be able to execute arbitrary code from its sandbox or with certain elevated privileges
- Description: The issue was addressed through improved memory management.
- CVE-2023-23531: Austin Emmitt, Principal Security Researcher at Trellix ARC
In a blog post, Trellix described findings from the Foundation flaw, which include “an important new class of bugs that allow code signing to be bypassed to execute arbitrary code in the context of multiple platform applications, resulting in an escalation of privileges and sandbox escape on both macOS and iOS.The bug stems from the so-called FORCEDENTRY Sandbox Escape flaw that exploited Apple’s NSPredicate class and was patched in September.According to Trellix, the discovery of the original vulnerability “has opened up a wide range of potential vulnerabilities that we are still exploring”.
As the researchers explain, “An attacker with code execution in a process with the appropriate privileges, such as Messages or Safari, can send a malicious NSPredicate and execute code with that process’s privileges. This process runs as root on macOS and allows the attacker to access the user’s calendar, address book, and photos.
The company says the vulnerabilities “represent a significant breach of the macOS and iOS security model which relies on individual apps having precise access to the subset of resources they need and querying higher privileged services to obtain something else.” “.
If you haven’t updated to iOS 16.3, Apple is no longer signing it, which means you’ll need to update to iOS 16.3.1, which will include iOS 16.3 fixes and features.
Update 2/21: Added a background from a blog post from Trellix.
