The latest version of macOS, including the upcoming Big Sur, has a security flaw, but Apple seems unwilling to patch it, a researcher has charged
In a blog post yesterday (June 30), Jeff Johnson found a way around macOS privacy protections in September 2019, but waited to report the flaw until Apple launched its bug bounty program in December (which increased the likelihood of paying him a reward), he stated
Apple did not completely stump Johnson, he admits, but he says the bug was originally scheduled to be fixed by spring 2020, but the company claims it is "still looking into the issue"
A beta version of macOS 11 Big Sur has been released, but apparently still contains the flaw now, Johnson disclosed [Talking to Apple Product Security is like talking to a brick wall," Johnson told The Register But this attitude is counterproductive But this attitude is counterproductive, because it alienates the people who report bugs and keeps them away from reporting bugs
Tom's Guide has reached out to Apple for comment and will update this article when we hear back
The alleged flaw is in Apple's Transparency, Consent, and Control (TCC) system; TCC was introduced in 2013 with OS X 109 Mavericks, but the file protection feature Johnson is concerned about was introduced in 2018 with macOS 1014 Mojave introduced it
As an example, Johnson said that TCC blocks access to Safari's Library folder, including browsing history, bookmarks, and downloads, from all applications except the Finder and Safari itself thanks to TCC, malware other applications, including malware, should not be able to access these Safari files
However, Johnson stated that TCC does not work correctly and that malware can actually access these files This is because they can create a copy of an existing application (such as Safari), place that copy elsewhere in the Mac file system, modify the copied application, and perform sneaky acts such as stealing information
"Any app downloaded from the Web can achieve this privacy bypass," Johnson wrote in a blog post
TCC fails because it does not verify that an app authorized to access a particular file is where it should be in the file system, Johnson says; TCC also "only superficially checks the app's code signature," so it not even properly check if it has been modified
"A copy of an app with changed resources would have the same file access as the original app (in this case Safari)," Johnson said he told Apple Johnson said that in his initial correspondence with Apple, he included a proof-of-concept exploit that is now available for download
Johnson acknowledged that this is not the world's worst security flaw
"Prior to Mojave, privacy protections did not exist at all on the Mac, so it's not worse now than in High Sierra or earlier," he wrote
"In my personal opinion, macOS privacy protection is primarily security theater
To protect yourself, Johnson recommends what we at Tom's Guide always suggest: be very careful about what you install on your Mac (or PC) and pay attention to the pop-up windows that appear when you install apps
We feel that the biggest weakness in Mac security is that it relies on the end user making informed decisions without the end user having sufficient information (The same can be said about Android security)
To remove some of the guesswork, be sure to install and run one of the best Mac antivirus apps that will sort out dangerous malware before you see it
Comments