Security vulnerabilities can put your personal information at risk. One such issue was CVE-2023-23499, which was found in several major Apple operating systems. Until Apple fixed it, this bug could let a malicious app get access to sensitive data you didn't want to share.
In this long read, we'll break down what happened with CVE-2023-23499, why it was dangerous, the code behind the scenes, and how hardened runtime saved the day. If you use a Mac, iPhone, iPad, Apple TV, or Apple Watch, this is a story you should know. Let's start!
What is CVE-2023-23499?
CVE-2023-23499 is the identifier given to a specific security flaw affecting Apple products. Apple publicly acknowledged it in their security updates for early 2023. The short version: An app may be able to access your sensitive data on affected Apple devices.
This was possible because some protections weren't strict enough, allowing apps to break through security walls and snoop around files and data that were supposed to be private.
Where Was This Vulnerability Found?
This issue was discovered in many Apple operating systems. Here’s a list of affected platforms and the versions where it got fixed:
watchOS 9.3
If you’re using a version *older* than these, you could be at risk.
How Did It Work?
The technical details for CVE-2023-23499 were not fully published by Apple, but from the public changelogs and reports, we know that the issue involved Apple’s hardened runtime settings.
"Hardened runtime" is a bundle of security technologies that restrict what an app can do, especially if it tries something shady, like reading or writing to sensitive parts of your system.
Before this fix, an app not running under a strict hardened runtime might abuse system calls or APIs to read files it should not have had access to, such as private documents or sensitive app data.
A High-Level Look at the Exploit
To imagine the problem, let’s say an app was able to read files from another user’s home folder. The attack would look like this (in pseudocode):
// This code is for educational, non-malicious purposes
import Foundation
let fileManager = FileManager.default
let sensitivePath = "/Users/someone/Documents/important.txt"
if fileManager.isReadableFile(atPath: sensitivePath) {
let contents = try? String(contentsOfFile: sensitivePath)
print("Sensitive Information: \(contents ?? "")")
}
In a system with weak runtime protections, the above code could work if the malicious app found a way to escalate its access rights. Even sandboxed apps might discover loopholes using older APIs or system misconfigurations.
The Fix: Enabling Hardened Runtime
Apple fixed this issue by enforcing the hardened runtime for all apps and not allowing them to opt out. In technical terms, they required stricter process sandboxing and runtime restrictions, such as:
Here’s how code signing with hardened runtime is enabled for Mac apps
codesign --options runtime --sign "Developer ID Application: Your Name (TEAMID)" MyApp.app
The --options runtime flag enforces these additional restrictions.
Exploit Details
Apple classifies this as an "App may be able to access user-sensitive data" vulnerability. Here’s a step-by-step rundown of how the exploit could work (hypothetically):
A malicious app is installed by the user (possibly masquerading as something safe).
2. The app, not being required to use the hardened runtime, finds a way to read or exfiltrate private files.
Information is sent off the device, compromising the user's privacy.
4. After Apple’s fix, the same app would be blocked at several layers, and reading sensitive files would fail.
Note: Apple does not publish full exploits for privacy and safety reasons, and as of June 2024, no public proof-of-concept code is available for this CVE.
How Can You Stay Protected?
Update Your Devices!
macOS Big Sur 11.7.3
- iOS/iPadOS 16.3
watchOS 9.3
You can check for updates by going to Settings > General > Software Update.
References & Further Reading
- Apple Security Updates
- Apple security content of macOS Ventura 13.2
- Apple CVE-2023-23499
- Apple Hardened Runtime Guide
Conclusion
CVE-2023-23499 reminds us why device updates are critical and how advanced security features like Apple’s hardened runtime protect everyday users. Always keep your devices updated, be cautious about what you download, and rest a bit easier knowing that major tech companies are patching holes as soon as they’re found.
If you want more in-depth technical details as they become available, watch the official Apple security posts and the National Vulnerability Database.
Timeline
Published on: 02/27/2023 20:15:00 UTC
Last modified on: 03/08/2023 23:12:00 UTC