DER Entitlements: The (Brief) Return of the Psychic Paper

- Ivan Fratric, a Project Zero researcher, discovered CVE-2022-42855, an XML parsing vulnerability in Apple's Mail app. - The vulnerability could have allowed an attacker to execute arbitrary code on a vulnerable device through a crafted email. - Apple fixed the vulnerability in iOS 15.7.2 and macOS Monterey 12.6.2. - Hardening changes related to the vulnerability were included in iOS 16.2 and macOS Ventura 13.1. - Fratric's research focused on XML parsing quirks and their security implications in XMPP-based applications. - Other examples of XML parsing vulnerabilities have been identified, including a vulnerability in Apple's Mail app known as Ps. - Ps allowed attackers to execute arbitrary code on vulnerable devices by sending a crafted email with a malicious XML attachment. - Apple patched Ps in macOS Catalina 10.15.7 and iOS 13.7. - Fratric highlights the importance of careful XML parsing and validation to prevent such vulnerabilities.