2023-02-22
Researchers Find New Class of Privilege Elevation Bug in iOS and macOS
Editor's Note
Apple patched these flaws with its January updates, but did not disclose these flaws until last week. Last week, Apple updated the related advisories declaring that they patched these vulnerabilities.

Johannes Ullrich
The more time (i.e. decades) you spend in the industry watching things like this the more you are not shocked when mitigations are broken. Pointer Authentication was very much a game changer in exploit mitigation on this platform. Side stepping it to introduce a new class of bugs is fascinating and not surprising. Maybe what is surprising is that the technique was circling around for 4 years before this type of article came out. It is a patched set of bugs and you should keep your phones updated.

Moses Frost
These exploits are mitigated in iOS/iPadOS 16.3 and macOS 13.2. If you are still allowing devices to stay on iOS 15 or earlier it’s time to update. Note that updates to these new OS versions may require hardware replacements, so check your compatibility, keeping in mind getting new x86 Apple desktops is problematic.

Lee Neely
In the ancient days [1990s and earlier] you could look at the number of hours spent finding the next bug in a piece of software over time and see a knee in the curve – the point where it could be considered stable/secure enough to release. Of course, that was when new versions of software came out yearly or less, and complexity of code was much lower overall. There really are no more knees in the software risk curve – using software means and will always mean continual patching to reduce risk. That’s why browsers and cloud services update themselves so frequently.

John Pescatore
An example of security researchers properly disclosing a class of vulnerabilities to the software vendor. The result: affected software reviewed, software changes made, patch released, and researchers given appropriate credit for finding the class of vulnerabilities. Kudos to Trellix security researchers.

Curtis Dukes
As I understand it, this class of vulnerability can be exploited only by rogue applications, not from the user or network interfaces. Do I have that right?
