The latest versions of iOS and iPadOS (16.3) and macOS (Ventura 13.2) have fixed the vulnerabilities tracked as CVE-2023-23530 and CVE-2023-23531. We explain the nature of these bugs, why they deserve your attention, what Pegasus spyware has to do with it, and why you should take these and future iOS, iPad and macOS security updates seriously.
NSPredicate, FORCEDENTRY, Pegasus, and all the rest
To explain why these latest updates are important, we need a little background. The software foundation of apps made for Apple operating systems is called — though you may not believe it — the Foundation framework! Here’s Apple’s description of it:
A little over two years ago, in January 2021, an iOS security researcher known as CodeColorist published a report that showed how implementation of the NSPredicate and NSExpression classes (which both make up part of the Foundation framework) can be exploited to execute arbitrary code. As it happens, these classes are responsible for sorting and filtering data. What’s key here in the context of what we’re telling you in this blogpost is that these tools allow to execute scripts on a device without verifying the digital signature of the code.
CodeColorist’s main finding was that such scripts can help bypass Apple security mechanisms — including app isolation. This makes it possible to write a malicious app that steals data (such as user’s correspondence or random photos from the gallery) from other apps.
March 2022 saw the release of a paper on the practical implementation of such an app — the FORCEDENTRY zero-click exploit — which was used to spread the infamous Pegasus malware. The vulnerabilities within NSPredicate and NSExpression allowed this malware to perform a sandbox escape and gain access to data and functions outside the strictly defined boundaries within which all iOS apps work.
In the wake of both CodeColorist’s theoretical work and the hands-on study of the FORCEDENTRY exploit, Apple implemented a number of security measures and restrictions. However, a new study shows that these are still easy to bypass.
Why CVE-2023-23530 and CVE-2023-23531 are dangerous
The CVE-2023-23530 and CVE-2023-23531 vulnerabilities have become new ways to bypass these restrictions. The first, CVE-2023-23530, stems from how exactly Apple addressed the problem. Specifically, they drew up extensive denylists of classes and methods that pose an obvious security risk within NSPredicate. The catch is that, by using methods not included in the denylists, it’s possible to wipe these lists clean and then use the full set of methods and classes.
The second vulnerability, CVE-2023-23531, relates to how processes within iOS and macOS interact with each other, and how the data-receiving process filters incoming information. Simply put, the process of sending data can add to it a “contents verified” tag, then feed the receiving process a malicious script that uses the NSPredicate, which in some cases will be executed without verification.
According to the researchers, these two techniques for bypassing security checks allow exploitation of a number of other specific vulnerabilities. Attackers could use these vulnerabilities to gain access to user data and dangerous operating system features, and even install applications (including system ones). In other words, CVE-2023-23530 and CVE-2023-23531 can be used to create FORCEDENTRY-type exploits.
To demonstrate the capabilities of CVE-2023-23530 and CVE-2023-23531, the researchers shot a video showing how a malicious app can be made to execute code inside SpringBoard (the standard application that manages the home screen on iOS) on an iPad. For its part, SpringBoard has elevated privileges and multiple access rights — including to the camera, microphone, call history, photos and geolocation data. What’s more — it can completely wipe the device.
What this means for iOS and macOS security
We should stress that the dangers posed by CVE-2023-23530 and CVE-2023-23531 are purely theoretical: there’ve been no recorded cases of in-the-wild exploitation. Also, the iOS 16.3 and macOS Ventura 13.2 updates have patched them, so if you install them on time, you are, supposedly, safe.
That said, we don’t know how well Apple has patched the vulnerabilities this time. Perhaps workarounds will be found for these patches too. At any rate, in conversation with Wired, the researchers themselves were pretty sure that new vulnerabilities of this class will continue to appear.
Keep in mind that, just being able to run scripts in iOS using NSPredicate is not enough for a successful hack. An attacker still needs to somehow get into the victim’s device to be able to do anything with it. In the case of FORCEDENTRY, this involved the use of other vulnerabilities: an infected PDF disguised as an innocent GIF file was slipped onto the target device through iMessage.
The likelihood of such vulnerabilities being used in APT attacks is high, so it bears repeating the countermeasures you can take. We have a separate post about this where Costin Raiu, the Director of our Global Research & Analysis Team (GReAT), explains in detail how to protect yourself against Pegasus-class malware and why these measures work. Here’s a brief summary of his advice:
- Restart your iPhone and iPad more often — it’s hard for attackers to gain a permanent foothold in iOS, and a restart often kills malware.
- Disable iMessage and FaceTime if it’s possible — these apps provide a convenient entry point for attacking iOS devices.
- Instead of Safari, use an alternative browser like, say, Firefox Focus.
- Don’t follow links in messages.
- Install reliable protection on all your devices.
- And finally (as we keep insisting ad infinitum), keep your operating systems up to date (and from now on, perhaps keep more watchful eye out for iOS, iPadOS and macOS updates as and when they are released).