Apple has released revised security advisories to address three new vulnerabilities that could impact iOS, iPadOS, and macOS.
One of the vulnerabilities is a race condition in the Crash Reporter component that could allow a malicious actor to read arbitrary files as root, while the other two vulnerabilities in the Foundation framework could be weaponized to achieve code execution.
Apple has patched the medium to high-severity vulnerabilities in its recent updates. Trellix researcher Austin Emmitt has classified these two flaws as a new class of bugs that can allow bypassing code signing to execute arbitrary code.
These bugs could potentially be used to break out of the sandbox and execute malicious code with elevated permissions, providing access to sensitive data such as calendars, address books, messages, location data, call history, cameras, microphones, and photos.
The security defects could also be abused to install arbitrary applications or even wipe the device. The vulnerabilities pose a significant breach of the security model of macOS and iOS, which relies on individual applications having fine-grained access to the subset of resources they need. It’s important to address these vulnerabilities to prevent exploitation and protect sensitive data.