Apple adds numerous security enhancements to practically every release of iOS and macOS to address critical vulnerabilities. Released in January, iOS 16.3 and macOS Ventura 13.2 were no exception. All updates contained solutions for various issues, including two specifically mentioned in a report from Trellix today.
Trellix Advanced Research Center found a new class of privilege execution defects in iOS and macOS. These bugs might be used to access a user’s messages, location information, photographs, call history, and other information on an iPhone or Mac.
Trellix describes how Apple implemented mitigations for the FORCEDENTRY zero-click exploit in September 2021 could be disregarded, opening up a “vast spectrum of potential vulnerabilities” in a blog post outlining how the flaw was discovered.
Trellix initially discovered a flaw in the crediting process that may provide an attacker access to a person’s address list, calendar, and photographs. The camera, microphone, call history, and other features might be accessed by attackers using vulnerabilities in OSLogService and NSPredicate to execute code within Springboard.
After receiving information regarding these flaws, Apple patched the issues in iOS 16.3 and macOS 13.2 Ventura. Yesterday, security support materials for both releases were updated to reflect the inclusion of the patches.
Trellix is responsible for two security holes (CVE-2023-23530 and CVE-2023-23531), which Apple fixed with better memory management. Trellix expressed appreciation to Apple for moving fast to address the problems.