Apple fixed two major security vulnerabilities with iOS 16.3 and macOS 13.2 for supported iPhone, iPad and Mac models, according to details shared by a security research firm. These updates were rolled out to users last month, and came with important bug fixes and security patches. Apple has credited the researchers with finding these flaws, that allowed a remote user to bypass protections put in place by Apple and gain access to a user’s personal data as well as their camera, microphone, and call history.
Security research firm Trellix explains in a blog post that Apple introduced security fixes to block the ForcedEntry security exploit used by NSO Group, creator of the nefarious Pegasus malware, in 2021. However, the firm found that these security protections could be bypassed by a remote user, and reported the flaws to Apple.
Apple is said to have used a protocol called NSPredicateVisitor to shore up the security of its NSPredicate tool, that is used by developers to filter code. Exploits like ForcedEntry would be able to bypass that mechanism to gain access to the user’s device.
An attacker could use the security flaw to bypass the sandbox that prevents one app from accessing data of other apps on the device, as well as sensitive or personal information, according to the security firm. These could include messages, call logs, photos, location details, as well as smartphone hardware such as the camera and microphone.
However, there appears to be no evidence that these flaws have been exploited by malicious actors. Meanwhile, users who have updated their devices to the latest version of iOS and macOS should be protected from these security flaws, according to Trellix.
Apple has also updated its release notes for iOS 16.3 and macOS 13.2, and both documents credit Trellix Senior Security Researcher Austin Emmitt with identifying two security flaws — CVE-2023-23530 and CVE-2023-23531 — on the mobile and desktop operating systems. Meanwhile, Trellix has thanked Apple for working quickly with the firm to resolve both security flaws.