Apple’s new bug could let hackers delete data, steal photos from your iPhone, MacBook

The vulnerabilities have a Common Vulnerability Scoring System (CVSS) rating between 5.1 and 7.1 and a severity ranging from moderate to severe. Malicious software and exploits may be able to exploit these flaws to access personal data such as a user’s messages, location information, call history, and images.

Trelix’s findings align with prior work from Google and Citizen Lab, which in 2021 identified a new zero-day vulnerability called ForcedEntry, which was developed remotely and covertly by Israeli spyware maker NSO Group at the behest of its government customers. The exploit was used to hack into iPhones.

To prevent use of the attack, Apple later improved its device security protections by including new code-signing mitigations that cryptographically confirm that the device’s software is trusted and has not been altered. However, Trelix claimed that Apple’s mitigations are insufficient to prevent similar attacks.

In a blog post, Trelix wrote that the latest issues affect NSPredicate, a program that lets programmers filter code. After the ForcedEntry bug, Apple strengthened the NSPredicate limit by using the NSPredicateVisitor protocol. Nonetheless, Trelix claimed that almost all NSPredicateVisitor implementations can be avoided.

However, Apple has reportedly addressed these issues With iOS 16.3 and macOS 13.2 out, more users should update their iPhones and MacBooks to stay secure.

Security experts reported that CoreDutyD, a software that collects information about user behavior on a device, was the first vulnerability they discovered under this new class of flaws.

It is possible for an attacker with the privileges of this process to execute a malicious NSPredicate and code in a process with the necessary entitlements, such as Messages or Safari. The researchers said the user’s calendar, address book and images are accessible to the attacker thanks to a process running as root on macOS.