When you updated your iPhone to iOS 16.3 last month, you got several new features, including support for the new HomePod and a dozen security updates. As it turns out, there were actually 15 security updates – Apple didn’t tell us about three of them until this week.
It’s not clear why Apple isn’t disclosing updates that were also part of macOS 13.2, but Apple says it “does not disclose, discuss, or confirm security issues until an investigation is made and patches or releases are available.” Apple also released a previously unknown security patch for iOS 16.3.1 and macOS 13.2.1 this week. Here are the details of the three fixes:
Crash Reporter
- Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later; macOS Ventura
- Influence: User can be able to read arbitrary files as root
- Description: The race condition was addressed with additional verification.
- CVE-2023-23520: Siz Elzinga
Foundation
- Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later; macOS Ventura
- Influence: An application can execute arbitrary code from within its sandbox or with certain elevated privileges.
- Description: This issue was addressed through improved memory handling.
- CVE-2023-23530: Austin Emmitt, Senior Security Researcher at Trellix ARC
Foundation
- Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later; macOS Ventura
- Influence: An application can execute arbitrary code from within its sandbox or with certain elevated privileges.
- Description: This issue was addressed through improved memory handling.
- CVE-2023-23531: Austin Emmitt, Senior Security Researcher at Trellix ARC
In a blog post, Trellix outlined the findings of the Foundation vulnerability discovery, which includes “a large new class of bugs that allow code signing to be bypassed to execute arbitrary code in the context of multi-platform applications, resulting in privilege escalation and sandboxing on both macOS and iOS.” The bug was due to a so-called FORCEDENTRY Sandbox Escape vulnerability that used Apple’s NSPredicate class and was patched in September. According to Trellix, the discovery of the original vulnerability “opened up a huge range of potential vulnerabilities that we are still investigating.”
As the researchers explain, “an attacker with code execution in a process with appropriate rights, such as Messages or Safari, could send a malicious NSPredicate and execute code with that process’s privileges. This process runs as root on macOS and gives the attacker access to the user’s calendar, address book, and photos.”
The company says the vulnerabilities “represent a serious violation of the macOS and iOS security model, which is based on individual applications having granular access to a subset of the resources they need and requesting more privileged services in order to get anything else.”
If you haven’t updated to iOS 16.3, Apple is no longer signing it, which means you’ll have to update to iOS 16.3.1, which will include the fixes and features from iOS 16.3.
February 21 update: Added background from Trellix blog post.