Apple's software updates this week for multiple vulnerabilities in its macOS Monterey operating system, iOS, and iPadOS serve as the latest indication of security researchers' and threat actors' growing interest in its technologies.
The flaws included one in macOS that allows attackers to bypass a core OS security mechanism, two that were zero-days at the time they were disclosed, and several that allowed for arbitrary code execution with kernel-level privileges on vulnerable devices.
Apple on Wednesday released macOS Monterey 12.2, iOS 15.3 and iPadOS 15.3 with fixes addressing a total of 13 vulnerabilities in macOS and 10 in iOS and iPadOS. Not all the bugs were unique to each operating system environment. In fact, several of the same bugs impacted both macOS and Apple's mobile OS technologies.
Among the more critical flaws that Apple fixed this week was CVE-2022-22583. The flaw was tied to a permissions issue in multiple versions of macOS and basically gave attackers, who already had root access on a system, a way to bypass the company's System Integrity Protection (SIP) mechanism.
Apple released SIP in 2015 as a malware prevention and overall security enhancing mechanism. It works by prohibiting attackers — even those with root access — from doing things like loading kernel drivers and writing to certain directories, says Shlomi Levin, CTO of Perception Point, which reported the issue to Apple.
"While most operating systems enable root users to install services and alter the systems, MacOS follows what’s called a ‘separation of authority concept’ in which privileges are entrusted to the SIP service," he says. "This discovered vulnerability enables attackers to bypass the additional SIP boundary."
CVE-2022-22583 is the second SIP bypass vulnerability reported in recent months. Last October, Microsoft researchers discovered a vulnerability (CVE-2021-30892) in macOS that they called "shrootless.” The vulnerability basically gave attackers a way to use an Apple-signed package to trick SIP into allowing malicious scripts to execute.
It was Perception Point's investigation of the shrtootless flaw that led it to the new vulnerability.
"Exploiting this vulnerability essentially is like swapping something from right under one’s nose," Levin notes. "SIP can install software and uses certain files to do so. In this case, the vulnerability offers the ability to swap a certain trusted file with a malicious one."
Apple said it has implemented an improved validation mechanism in macOS Monterey 12.2 to address the issue. The company has credited two other researchers — one from Trend Micro and another anonymous individual — for reporting the flaw to the company.
Meanwhile, one of the two zero-day flaws (CVE-2022-22587) that Apple fixed this week involved IOMobileFrameBuffer, a kernel extension related to a device's frame buffer. The memory corruption bug allows attackers to run arbitrary code at the kernel level and is likely being actively exploited in the wild already, Apple said. The bug impacts macOS Monterey, iPhone 6 and later, all iPad Pro models, and several other Apple mobile devices.
"CVE-2022-22587 targets the macOS kernel, and compromising it can give the attacker root privileges," Levin says. "However, SIP comes into play exactly for this kind of exploit."
The flaw is one of several serious vulnerabilities that researchers have uncovered in IOMobileFrameBuffer recently. Other examples include CVE-2021-30883, a zero-day code execution bug that Apple patched last October amid active exploit activity, and CVE-2021-30807, which Apple fixed last July.
A vulnerability in Safari WebKit Storage (CVE-2022-22594) for macOS and iOS was another issue that attracted some concern because the flaw was publicly known about for several days prior to patch availability this week. The flaw stems from what Apple described as a cross origin issue in the IndexDB API that basically allows website operators a way to track a user's browsing history.
"CVE-2022-22594 aids in tracking/discovering what websites a user has visited," Levin says. "This is a huge privacy issue but does not enable the attacker to take control over the victim's machine."
In total, six of the macOS flaws that Apple patched this week allowed for arbitrary code execution, some at the kernel level.
Turning Up the Heat
The security updates in the latest OS versions are Apple's first for 2022 and follow a year when researchers reported numerous significant vulnerabilities and malware samples impacting macOS and iOS.
These include a zero-day arbitrary code execution flaw (CVE-2021-30860) in iOS and macOS that Apple patched in September 2021, which was used to deliver the notorious Pegasus spyware on iPhones. Another example is CVE-2021-30657, a logic flaw in macOS Big Sur 11.3 that allowed attackers to bypass Apple security mechanisms, like Gatekeeper and File Quarantine, to deploy malware called Shlayer on vulnerable systems. Other major vulnerabilities last year included CVE-2021-30713, a zero day that allowed attackers to bypass Apple's Transparency Consent and Control (TCC) framework and gain full disk access and screen recording permissions, and CVE-2021-30892, or "shrootless," a flaw that Microsoft discovered that let attackers bypass Apple's System Integrity Protection (SIP) feature.
The relative success that researchers have had poking holes into Apple's technologies — especially those explicitly designed to improve security such as Gatekeeper, TCC, and SIP — is reason for enterprises to start paying attention to the Mac and iOS environments, security experts say.
"Every operating system suffers from vulnerabilities, and MacOS is no exception," says Mike Parkin, an engineer at Vulcan Cyber. "Windows is the big dog as far as deployed users are concerned, so historically they’ve been the biggest target. But Apple is also a big player, and attackers are turning more of their attention to Apple’s products as potential targets."
One indication was the collection of sophisticated new malware samples that emerged last year targeting Apple technologies and vulnerabilities in them
For years, Mac users have been under the impression that their computers are immune from the cyberattacks that prey on Windows machines. Levin says. The emergence of the Mac in the enterprise environment and its increasing use as a business device has gained the attention of cybercriminals, he notes.
"This has spurred the growing research invested in macOS as it continues to be a valid target for today's attackers," Levin notes. At the same time, "from a security perspective, Apple has toughened up its security, and SIP is a great example of this as an innovative separation policy that doesn’t exist in the other operating systems."