Cybersecurity researchers from Trellix recently published a detailed blog post in which it discussed discovering multiple vulnerabilities that are a “significant breach of the security model of macOS and iOS which relies on individual applications having fine-grained access to the subset of resources they need and querying higher privileged services for anything else.”
The vulnerabilities was found in CoreDuetd, a process gathering behavior data. A threat actor with code execution in a process with the proper entitlements (think Safari), can use the privileges of this process to execute malicious code, the researchers said. As this process runs as root on macOS, threat actors could also access people’s calendars, address books, and photos.
A similar issue impacts another process related to CoreDuetd, called ContextStored. This one allows threat actors to use a vulnerable XPC service to execute code, using a process with higher privileges.
The appstored and appstoredagent daemons hold vulnerable XPC Services as well, allowing threat actors to install abritrary applications, including system apps.
“By setting malicious scene activation rules an app can achieve code execution inside of SpringBoard, a highly privileged app that can access location data, the camera and microphone, call history, photos, and other sensitive data, as well as wipe the device,” the researchers concluded.
To be fair Apple has fixed both the problems in its MacOS 13.2, and iOS 16.3 updates. Trelling urges all users not to wait to apply the patch.