"A New Kind of Bug Spells Trouble for iOS and macOS Security"

A study has found a new class of vulnerabilities impacting Apple's iPhone and Mac operating systems, which, if abused, can allow an attacker to access messages, photos, and call logs. Researchers from the Advanced Research Center of the security firm Trellix have disclosed a bug that could enable hackers to bypass Apple's security protections and run their own unauthorized code. According to the team, the medium-to-high severity security flaws they discovered circumvent the measures Apple had implemented to protect users. The new findings draw on past work by Google and Citizen Lab, a research facility at the University of Toronto. In 2021, the two organizations found ForcedEntry, a zero-click, zero-day iOS exploit associated with the Israeli spyware maker NSO Group. The highly sophisticated exploit was discovered on the iPhone of a Saudi activist and was used to install NSO's Pegasus malware. ForcedEntry consisted of two parts, the first of which tricked an iPhone into opening a malicious PDF disguised as a GIF. The second part allowed attackers to circumvent Apple's sandbox, which prevents apps from accessing data stored by other apps and accessing other device components. Austin Emmitt, a senior vulnerability researcher at Trellix, focused his research on this second part and exploited the flaws he discovered to evade the sandbox. This article continues to discuss the new class of flaws that could allow an attacker to access a person's messages, photos, and call history. 

Wired reports "A New Kind of Bug Spells Trouble for iOS and macOS Security"