When you updated your iPhone to iOS 16.3 last month, you got a few new features, including support for the new HomePod, and a dozen security updates. As it turns out, there were actually 15 security updates—Apple just didn’t tell us about three of them until this week.
It’s not clear why Apple didn’t disclose the updates, which were also part of macOS 13.2, but Apple says it “doesn’t disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available.” Apple also revealed a previously undisclosed security patch in iOS 16.3.1 and macOS 13.2.1 this week. Here are the details of the three fixes:
Crash Reporter
- Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later; macOS Ventura
- Impact: A user may be able to read arbitrary files as root
- Description: A race condition was addressed with additional validation.
- CVE-2023-23520: Cees Elzinga
Foundation
- Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later; macOS Ventura
- Impact: An app may be able to execute arbitrary code out of its sandbox or with certain elevated privileges
- Description: The issue was addressed with improved memory handling.
- CVE-2023-23530: Austin Emmitt, Senior Security Researcher at Trellix ARC
Foundation
- Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later; macOS Ventura
- Impact: An app may be able to execute arbitrary code out of its sandbox or with certain elevated privileges
- Description: The issue was addressed with improved memory handling.
- CVE-2023-23531: Austin Emmitt, Senior Security Researcher at Trellix ARC
In a blog post, Trellix outlined the findings of the Foundation flaw, which include “a large new class of bugs that allow bypassing code signing to execute arbitrary code in the context of several platform applications, leading to escalation of privileges and sandbox escape on both macOS and iOS.” The bug originates from the so-called FORCEDENTRY Sandbox Escape flaw that exploited Apple’s NSPredicate class and was patched in September. According to Trellix the discovery of the original vulnerability “opened a huge range of potential vulnerabilities that we are still exploring.”
As the researchers explain, “An attacker with code execution in a process with the proper entitlements, such as Messages or Safari, can send a malicious NSPredicate and execute code with the privileges of this process. This process runs as root on macOS and gives the attacker access to the user’s calendar, address book, and photos.”
The company says the vulnerabilities “represent a significant breach of the security model of macOS and iOS which relies on individual applications having fine-grained access to the subset of resources they need and querying higher privileged services to get anything else.”
If you haven’t updated to iOS 16.3, Apple is no longer signing it, which means you’ll have to update to iOS 16.3.1, which will include the fixes and features from iOS 16.3.
Update 2/21: Added background from a blog post by Trellix.
