{"id":31685,"date":"2023-03-15T04:26:53","date_gmt":"2023-03-15T08:26:53","guid":{"rendered":"https:\/\/www.kaspersky.com.au\/blog\/ios-macos-nspredicate-class-of-bugs\/31685\/"},"modified":"2023-03-17T01:58:19","modified_gmt":"2023-03-16T14:58:19","slug":"ios-macos-nspredicate-class-of-bugs","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com.au\/blog\/ios-macos-nspredicate-class-of-bugs\/31685\/","title":{"rendered":"Why you need to update iOS and macOS ASAP"},"content":{"rendered":"

The latest versions of iOS and iPadOS (16.3) and macOS (Ventura 13.2) have fixed the vulnerabilities tracked as CVE-2023-23530 and CVE-2023-23531. We explain the nature of these bugs, why they deserve your attention, what Pegasus<\/a> spyware has to do with it, and why you should take these and future iOS, iPad and macOS security updates seriously.<\/p>\n

NSPredicate, FORCEDENTRY, Pegasus, and all the rest<\/h2>\n

To explain why these latest updates are important, we need a little background. The software foundation of apps made for Apple operating systems is called \u2014 though you may not believe it \u2014 the Foundation framework! Here\u2019s Apple\u2019s description<\/a> of it:<\/p>\n

\u201cThe Foundation framework provides a base layer of functionality for apps and frameworks, including data storage and persistence, text processing, date and time calculations, sorting and filtering<\/strong>, and networking. The classes, protocols, and data types defined by Foundation are used throughout the macOS, iOS, watchOS, and tvOS SDKs.\u201d<\/div>\n

A little over two years ago, in January 2021, an iOS security researcher known as CodeColorist<\/a> published a report<\/a> that showed how implementation of the NSPredicate and NSExpression classes (which both make up part of the Foundation framework) can be exploited to execute arbitrary code. As it happens, these classes are responsible for sorting and filtering data<\/strong>. What\u2019s key here in the context of what we\u2019re telling you in this blogpost is that these tools allow to execute scripts on a device without verifying the digital signature of the code.<\/p>\n

CodeColorist\u2019s main finding was that such scripts can help bypass Apple security mechanisms \u2014 including app isolation. This makes it possible to write a malicious app that steals data (such as user\u2019s correspondence or random photos from the gallery) from other apps.<\/p>\n

March 2022 saw the release of a paper on the practical implementation<\/a> of such an app \u2014 the FORCEDENTRY zero-click exploit \u2014 which was used to spread the infamous Pegasus malware. The vulnerabilities within NSPredicate and NSExpression allowed this malware to perform a sandbox escape<\/a> and gain access to data and functions outside the strictly defined boundaries within which all iOS apps work.<\/p>\n

In the wake of both CodeColorist\u2019s theoretical work and the hands-on study of the FORCEDENTRY exploit, Apple implemented a number of security measures and restrictions. However, a new study<\/a> shows that these are still easy to bypass.<\/p>\n

Why CVE-2023-23530 and CVE-2023-23531 are dangerous<\/h2>\n

The CVE-2023-23530 and CVE-2023-23531 vulnerabilities have become new ways to bypass these restrictions. The first, CVE-2023-23530, stems from how exactly Apple addressed the problem. Specifically, they drew up extensive denylists of classes and methods that pose an obvious security risk within NSPredicate. The catch is that, by using methods not included<\/em> in the denylists, it\u2019s possible to wipe these lists clean and then use the full set of methods and classes.<\/p>\n

The second vulnerability, CVE-2023-23531, relates to how processes within iOS and macOS interact with each other, and how the data-receiving process filters incoming information. Simply put, the process of sending data can add to it a \u201ccontents verified\u201d tag, then feed the receiving process a malicious script that uses the NSPredicate, which in some cases will be executed without verification.<\/p>\n

According to the researchers, these two techniques for bypassing security checks allow exploitation of a number of other specific vulnerabilities. Attackers could use these vulnerabilities to gain access to user data and dangerous operating system features, and even install applications (including system ones). In other words, CVE-2023-23530 and CVE-2023-23531 can be used to create FORCEDENTRY-type exploits.<\/p>\n

To demonstrate the capabilities of CVE-2023-23530 and CVE-2023-23531, the researchers shot a video showing how a malicious app can be made to execute code inside SpringBoard <\/a>(the standard application that manages the home screen on iOS) on an iPad. For its part, SpringBoard has elevated privileges and multiple access rights \u2014 including to the camera, microphone, call history, photos and geolocation data. What\u2019s more \u2014 it can completely wipe the device.<\/p>\n

What this means for iOS and macOS security<\/h2>\n

We should stress that the dangers posed by CVE-2023-23530 and CVE-2023-23531 are purely theoretical: there\u2019ve been no recorded cases of in-the-wild exploitation. Also, the iOS 16.3 and macOS Ventura 13.2 updates have patched them, so if you install them on time, you are, supposedly, safe.<\/p>\n

That said, we don\u2019t know how well Apple has patched the vulnerabilities this<\/em> time. Perhaps workarounds will be found for these patches too. At any rate, in conversation with Wired, the researchers themselves were pretty sure that new vulnerabilities of this class will continue to appear<\/a>.<\/p>\n

Keep in mind that, just being able to run scripts in iOS using NSPredicate is not enough for a successful hack. An attacker still needs to somehow get into the victim\u2019s device to be able to do anything with it. In the case of FORCEDENTRY, this involved the use of other vulnerabilities<\/a>: an infected PDF disguised as an innocent GIF file was slipped onto the target device through iMessage.<\/p>\n

The likelihood of such vulnerabilities being used in APT attacks<\/a> is high, so it bears repeating the countermeasures you can take. We have a separate post about this where Costin Raiu, the Director of our Global Research & Analysis Team (GReAT), explains in detail how to protect yourself against Pegasus-class malware<\/a> and why these measures work. Here\u2019s a brief summary of his advice:<\/p>\n