Apple’s software update this week to address multiple vulnerabilities in its macOS Monterey operating system, iOS and iPadOS is the latest sign of growing interest in its technology from security researchers and threat actors.
The vulnerabilities include one in macOS that allows attackers to bypass core operating system security mechanisms, two that were zero-days at the time of disclosure, and several that allow execution with kernel-level privileges on vulnerable devices arbitrary code.
Apple released Wednesday macOS Monterey 12.2, iOS 15.3 and iPadOS 15.3 Fixed 13 bugs in macOS and 10 bugs in iOS and iPadOS. Not all errors are unique to each operating system environment. In fact, several of the same bugs affected macOS and Apple’s mobile operating system technology.
More serious flaws Apple fixed this week include CVE-2022-22583. The vulnerability is related to a permissions issue in several macOS versions, basically providing a way for attackers who already have root access on the system to bypass the company’s System Integrity Protection (SIP) mechanism.
Apple released SIP in 2015 as a malware prevention and overall security enhancement mechanism. Shlomi Levin, CTO of Perception Point, said it works by preventing attackers — even those with root access — from doing things like loading kernel drivers and writing to certain directories.
“While most operating systems allow root users to install services and make changes to the system, MacOS follows what’s called the ‘separation of privileges concept,’ where privileges are delegated to SIP services,” he said. “This discovered vulnerability enables attackers to bypass additional SIP boundaries.”
CVE-2022-22583 is the second SIP bypass vulnerability reported in recent months. last October, Microsoft researchers A vulnerability (CVE-2021-30892) has been discovered in macOS, which they call “rootless”. The vulnerability basically provides an attacker with a way to trick SIP into allowing malicious script execution using an Apple-signed package.
It was Perception Point’s investigation of shtootless vulnerabilities that led to new vulnerabilities.
“Exploiting this vulnerability is essentially like exchanging something under one’s nose,” Levine noted. “SIP can install software and use certain files to do so. In this case, the vulnerability provides the ability to exchange a trusted file with a malicious file.”
Apple says it has implemented an improved authentication mechanism in macOS Monterey 12.2 to address the issue. The company has credited two other researchers, one from Trend Micro and the other anonymous, for reporting the vulnerability to the company.
Meanwhile, one of two zero-day vulnerabilities (CVE-2022-22587) fixed by Apple this week involves IOMobileFrameBuffer, a kernel extension related to device frame buffers. Apple says the memory corruption flaw allows attackers to run arbitrary code at the kernel level and is likely to have been actively exploited in the wild. The vulnerability affects macOS Monterey, iPhone 6 and later, all iPad Pro models, and several other Apple mobile devices.
“CVE-2022-22587 targets the macOS kernel, and breaching it could provide an attacker with root privileges,” Levin said. “However, SIP is there for exactly this kind of exploitation.”
The vulnerability is one of several critical vulnerabilities recently discovered by researchers in IOMobileFrameBuffer.Other examples include CVE-2021-30883, Apple patched a zero-day code execution bug in an active exploit campaign last October, and CVE-2021-30807, Apple fixed the issue last July.
A vulnerability in the Safari WebKit store for macOS and iOS (CVE-2022-22594) is another issue that has raised some eyebrows, as it was made public days before this week’s patch. The flaw stems from what Apple describes as a cross-origin issue in the IndexDB API that basically allows website operators to track users’ browsing history.
“CVE-2022-22594 helps track/discover the websites that users have visited,” Levin said. “It’s a huge privacy issue, but the attacker has no control over the victim’s machine.”
Overall, six of the macOS vulnerabilities Apple patched this week allow arbitrary code execution, some at the kernel level.
Turn up the heat
The security update in the latest OS version is Apple’s first for 2022, a year after researchers reported a number of major vulnerabilities and malware samples affecting macOS and iOS.
These include zero-day arbitrary code execution flaws (CVE-2021-30860) in iOS and macOS patched by Apple in September 2021 for spreading the infamous Pegasus spyware on iPhones.Another example is CVE-2021-30657, a logic flaw in macOS Big Sur 11.3 that allows attackers to bypass Apple security mechanisms such as Gatekeeper and File Quarantine to deploy malware called Shlayer on vulnerable systems.Other major vulnerabilities from last year include CVE-2021-30713, a zero-day allowing attackers to bypass Apple’s Transparent Consent and Control (TCC) framework and gain full disk access and screen recording permissions, and CVE-2021-30892Or “shrootless,” a vulnerability discovered by Microsoft that could allow attackers to bypass Apple’s System Integrity Protection (SIP) feature.
Security experts say the researchers’ relative success with Apple’s technology — especially those explicitly designed to improve security, such as Gatekeeper, TCC and SIP — is why businesses are starting to focus on Mac and iOS environments.
“Every operating system has vulnerabilities, and MacOS is no exception,” said Mike Parkin, engineer at Vulcan Cyber. “Windows is the big dog in terms of deployed users, so historically they’ve been the biggest target. But Apple is also a big player, and attackers are turning more attention to Apple’s products as potential targets.”
One indication is a collection of sophisticated new malware samples targeting Apple technology and its vulnerabilities that emerged last year
For years, Mac users have assumed that their computers are safe from cyberattacks on Windows computers. Levin said. He noted that the advent of Macs in corporate environments and their increasing use as business devices has caught the attention of cybercriminals.
“This spurs continued research investment in macOS, as it remains a valid target for attackers today,” Levine noted. At the same time, “From a security perspective, Apple has beefed up its security, and SIP is a good example of an innovative separation strategy that doesn’t exist in other operating systems.”
