New Class of Bug Spells Trouble for Apple

Every now and then researchers or hackers discover a new class of bugs that spells trouble for a vendor. Apple is no exception. For a long time, when no one really cared about Apple, it looked like they were bulletproof. Not any more.

This new bug, if exploited, could let a hacker to steal your messages, photos and call logs.

Researchers from Trellix are publishing details that would allow hackers to disable Apple’s security protections and run their malicious code.

The key thing here is that this is not a simple bug but rather, breaks Apples security model at a core level.

This also means that researchers – and Apple – may be able to find more bugs that fit into this attack framework. The long game is that this will improve Apple’s security. In the short term, maybe not so much.

The researchers built on 2021 work by Google and Citizen Lab called ForcedEntry. This is a zero-click zero-day (you can’t get worse than that) against Apple’s iOS. This was the type of attack used by the NSO group to install malware on victim’s phones without them having to do anything to initiate the attack.

Trellix built on this attack to escape Apple’s security sandbox. While Apple attempted to close the hole that the ForcedEntry attack used, similar to many vendor’s attempts at closing holes, it was too little.

The bug that they abused exists in many places inside the Apple universe, including the home screen, location data, photos and even the camera.

Trellix even posted a proof of concept video. They say that this new class of bugs shines a light on an area that has not been the target of much research. But now will be.

While Apple patched these specific bugs in macOS 13.2 and iOS 16.3, that does not mean this is the end of it. Update your devices and stay tuned.

Credit: Wired

by