View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
February 22, 2023updated 23 Feb 2023 11:14am

Apple patches three vulnerabilities in iPadOS, iOS and macOS

The trio of bugs can be used for remote code execution, security researchers fear. The tech giant has taken swift action.

By Claudia Glover

Three vulnerabilities have been flagged by Apple as impacting iPadOS, iOS and macOS devices. Two of the vulnerabilities are within the company’s “Foundation” framework and could be weaponised to launch remote code execution, giving hackers control of targeted systems.

Three apple vulnerabilities uncovered by researchers. (Photo by View Apart/Shutterstock)

The company has moved quickly to release patches for the three vulnerabilities. Apple states on its support page that “the issue was addressed with improved memory handling.”

Three Apple vulnerabilities flagged by researchers

The three vulnerabilities grant elevated privileges to attackers. Those in the Foundation framework, CVE-2023-23530 and CVE-2023-23531, were uncovered by researchers at cybersecurity vendor Trellix, showing that the exploits could be abused to achieve remote code execution on an infected Apple device.

The flaws are classified as a “new class of bugs that allow bypassing code signing to execute arbitrary in the context of several platform applications, leading to escalation of privileges and sandbox escapes on both macOS and iOS,” according to a Trellix blog released this week.

Mitigations that Apple had previously put in place to combat “zero-click” vulnerabilities can be bypassed by the new exploits. Zero-click vulnerabilities, often used by spyware such as NSO Group’s Pegasus, require no interaction from the owner of the target device to implement malware. 

The pair of flaws could also be used to install their own application or even to wipe the device, and “represent a significant breach of the security model of the macOS and iOS,” according to Trellix.

The third vulnerability, CVE-2023-23520  affects the crash reporter component on iOS, which can allow an attacker to read arbitrary files as root. Apple’s security advisory page explains that it updated mitigations with “a race condition addressed with additional validation.”

Content from our partners
Powering AI’s potential: turning promise into reality
Unlocking growth through hybrid cloud: 5 key takeaways
How businesses can safeguard themselves on the cyber frontline

By identifying and patching these vulnerabilities, Apple has demonstrated its strong relationship with the security community, argues Jonathan Knudsen of the Synopsys Cybersecurity Research Centre. “Trellix’s disclosures of privilege escalation vulnerabilities affecting macOS and iOS illustrate a fruitful interplay between security researchers and Apple,” he says. “Software must be built with security in mind at every phase, with the goal of finding and eliminating as many vulnerabilities as possible. Even when you do everything right, however, some vulnerabilities can still be present in the released software,” he said.

Such vulnerabilities must be tackled quickly, Knudsen adds. “Post-release, security researchers (both benevolent and malicious) might also discover vulnerabilities,” he says. “Responding quickly to inbound security disclosures is critically important. Some organisations, including Apple, encourage security researchers to submit issues by providing incentives, typically called bug bounties. Recognising and engaging the security research community is an important component of a comprehensive software security initiative.”

Read more: Apple could soon be at loggerheads with the UK government over end-to-end encryption

Topics in this article :
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.