![]() ![]() In a blog post, Trellix outlined the findings of the Foundation flaw, which include “a large new class of bugs that allow bypassing code signing to execute arbitrary code in the context of several platform applications, leading to escalation of privileges and sandbox escape on both macOS and iOS.” The bug originates from the so-called FORCEDENTRY Sandbox Escape flaw that exploited Apple’s NSPredicate class and was patched in September. CVE-2023-23531: Austin Emmitt, Senior Security Researcher at Trellix ARC.CVE-2023-23530: Austin Emmitt, Senior Security Researcher at Trellix ARC. ![]() Description: The issue was addressed with improved memory handling.Impact: An app may be able to execute arbitrary code out of its sandbox or with certain elevated privileges.Description: A race condition was addressed with additional validation.Impact: A user may be able to read arbitrary files as root.Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later macOS Ventura.One advantage Apple has is longer update support-avoiding zero-day exploits in the first place is ideal, but at least Apple can roll out updates promptly, even to older devices. Apple still sees its fair share of exploitable bugs, even in its silicon. We might hear about more Android vulnerabilities, but that's because Android is an open-source platform. These flaws are the sixth and seventh zero-days patched by Apple so far this year. That means simply visiting a malicious website on an unpatched device could be enough to get you in trouble.Īpple says these flaws are being actively exploited and were reported by anonymous security researchers. This bug could also allow arbitrary code execution, and while the WebKit engine doesn't have the pervasive system access of the kernel, it is a web component. So, even third-party browsers like Chrome and Firefox offer no reprieve. Coincidentally, that's the only engine Apple allows on the iPhone. This too is an out-of-bounds write vulnerability, but it's a flaw in the WebKit browser engine at the heart of Apple's Safari browser. The second vulnerability is CVE-2022-32893. A vulnerability here allows malware to execute code with the same high privilege level to completely take over the device. It's an out-of-bounds write vulnerability in the operating system kernel, a low-level framework that has access to all parts of the system. The first flaw is tracked as CVE-2022-32894. You can see the update notice for iPhone below. Even Apple's recently discontinued 7th gen iPod Touch gets in on the fun. However, all iPhone models from the 6s onward are affected, as are all models of the iPad Pro, as well as the iPad Air 2, the 5th Gen iPad, the iPad Mini 4, and all later models in these lines. If you're on an older version of macOS, you are not vulnerable to this particular issue. The updates address the same pair of vulnerabilities on both mobile and desktop platforms. The update addresses a pair of zero-day vulnerabilities in Apple's software, meaning they are already being used in the wild to exploit devices.Īpple macOS Monterey has been updated to v12.5.1, and iOS is now on v15.6.1. Apple has announced an emergency patch for iPhones, iPads, and macOS computers, an increasingly common event. Anyone with an iPhone in their pocket or a Mac on their desk should be hitting that update button today.
0 Comments
Leave a Reply. |