These issues could be used by malicious applications and exploits to gain access to sensitive information such as a user's messages, location data, call history, and photos."Ĭomputer Weekly explains that the vulnerability bypasses strengthened code-signing mitigations put in place by Apple on its developer tool NSPredicate after the infamous ForcedEntry exploit used by Israeli spyware manufacturer NSO Group:
The vulnerabilities range from medium to high severity with CVSS scores between 5.1 and 7.1.
"The Trellix Advanced Research Center vulnerability team has discovered a large new class of bugs that allow bypassing code signing to execute arbitrary code in the context of several platform applications, leading to escalation of privileges and sandbox escape on both macOS and iOS. As macOS has continually adopted more features of iOS it has also come to enforce code signing more strictly. Since the earliest versions of the iPhone, "The ability to dynamically execute code was nearly completely removed," write security researchers at Trellix, "creating a powerful barrier for exploits which would need to find a way around these mitigations to run a malicious program.
0 kommentar(er)
