Apple’s software updates this week for multiple vulnerabilities in its macOS Monterey, iOS and iPadOS operating system are the latest indication of growing interest from security researchers and threat actors in its technologies.
The flaws included one in macOS that allows attackers to bypass a central operating system security mechanism, two that were zero days at the time of disclosure, and several that allowed execution of arbitrary code with privileged at the kernel level on vulnerable devices.
Apple released on Wednesday macOS Monterey 12.2, iOS 15.3 and iPadOS 15.3 with patches fixing a total of 13 vulnerabilities in macOS and 10 in iOS and iPadOS. Not all bugs were unique to each operating system environment. In fact, many of the same bugs have impacted both macOS and Apple’s mobile operating system technologies.
Among the most critical flaws that Apple fixed this week were CVE-2022-22583. The flaw was related to a permissions issue in several versions of macOS and essentially gave attackers, who already had root access on a system, a way to bypass the system integrity protection (SIP) mechanism of the macOS. ‘business.
Apple introduced SIP in 2015 as a mechanism to prevent malware and improve overall security. It works by preventing attackers — even those with root access — from doing things like loading kernel drivers and writing to certain directories, says Shlomi Levin, CTO of Perception Point, which reported the issue to Apple.
“While most operating systems allow root users to install services and modify systems, macOS follows what is called a ‘separation of authorities concept’ in which privileges are given to the SIP service” , he said. “This discovered vulnerability allows attackers to bypass the additional SIP boundary.”
CVE-2022-22583 is the second SIP bypass vulnerability reported in recent months. Last October, Microsoft researchers discovered a vulnerability (CVE-2021-30892) in macOS which they called “shrootless”. The vulnerability essentially gave attackers a way to use an Apple-signed package to trick SIP into allowing malicious scripts to run.
It was Perception Point’s investigation of the shrtootless flaw that led them to the new vulnerability.
“Exploiting this vulnerability is essentially like trading something under your nose,” notes Levin. “SIP can install software and uses certain files to do so. In this case, the vulnerability offers the possibility of exchanging a certain trusted file with a malicious file.”
Apple said it implemented an improved validation mechanism in macOS Monterey 12.2 to fix the issue. The company credited two other researchers — one from Trend Micro and another anonymous individual — with reporting the flaw to the company.
Meanwhile, one of two zero-day flaws (CVE-2022-22587) that Apple patched this week involved IOMobileFrameBuffer, a kernel extension tied to a device’s frame buffer. The memory corruption bug allows attackers to execute arbitrary code at the kernel level and is likely already being actively exploited in the wild, Apple said. The bug affects macOS Monterey, iPhone 6 and later, all iPad Pro models, and several other Apple mobile devices.
“CVE-2022-22587 targets the macOS kernel, and compromising it may give the attacker root privileges,” says Levin. “However, SIP comes into play for exactly this kind of exploit.”
The flaw is one of several serious vulnerabilities that researchers have recently discovered in IOMobileFrameBuffer. Other examples include CVE-2021-30883a zero-day code execution bug that Apple patched last October amid active exploit activity, and CVE-2021-30807which Apple fixed last July.
A vulnerability in Safari WebKit Storage (CVE-2022-22594) for macOS and iOS was another issue that raised some concerns as the flaw was publicly known for several days before the patch was made available this week. The flaw stems from what Apple described as a cross-origin issue in the IndexDB API that essentially allows website operators to track a user’s browsing history.
“CVE-2022-22594 helps track/discover websites a user has visited,” Levin says. “This is a huge privacy issue, but it does not allow the attacker to take control of the victim’s machine.”
A total of six of the macOS flaws patched by Apple this week allowed execution of arbitrary code, some at the kernel level.
Turn up the heat
The security updates in the latest versions of the operating system are Apple’s first for 2022 and follow a year where researchers reported numerous significant vulnerabilities and malware samples affecting macOS and iOS.
These include a zero-day arbitrary code execution flaw (CVE-2021-30860) in iOS and macOS that Apple patched in September 2021, which was used to spread the notorious Pegasus spyware to iPhones. Another example is CVE-2021-30657, a logic flaw in macOS Big Sur 11.3 that allowed attackers to bypass Apple’s security mechanisms, such as Gatekeeper and File Quarantine, to deploy malware called Shlayer to vulnerable systems. Other major vulnerabilities from the past year include CVE-2021-30713a zero day that allowed attackers to bypass Apple’s Consent and Transparency Control (TCC) framework and gain full disk access and screen recording permissions, and CVE-2021-30892or “shrootless”, a flaw discovered by Microsoft that allows attackers to bypass Apple’s System Integrity Protection (SIP) feature.
The relative success that researchers have had in breaking into Apple’s technologies – especially those explicitly designed to improve security such as Gatekeeper, TCC and SIP – is why companies are starting to pay attention to Mac and iOS environments, according to security experts.
“Every operating system suffers from vulnerabilities, and MacOS is no exception,” says Mike Parkin, engineer at Vulcan Cyber. “Windows is the big dog when it comes to deployed users, so historically they’ve been the biggest target. But Apple is also a big player, and attackers are focusing more of their attention on Apple’s products as potential targets.”
One indication was the collection of new sophisticated malware samples that emerged last year targeting Apple technologies and their vulnerabilities.
For years, Mac users have felt like their computers were safe from cyberattacks that prey on Windows machines. said Levin. The Mac’s emergence in the corporate environment and its growing use as a business device has drawn the attention of cybercriminals, he notes.
“This has spurred the growing research invested in macOS as it continues to be a valid target for attackers today,” Levin notes. At the same time, “from a security perspective, Apple has tightened its security, and SIP is a great example of this as an innovative separation policy that doesn’t exist in other operating systems.”