Image: Apple

Some might think that by offering a bounty program, for what is often considered the world’s most secure operating system, that action would quickly get taken for finds. This does not appear to be the case for, at least, one man’s discoveries. It does, unfortunately, show a pattern for the Cupertino company to leave some exploits unpatched long after being notified about them. App developer Jeff Johnson recently posted on his blog about an exploit he discovered in September of 2019. His blog goes into detail about how the exploit functions.

Today I’m disclosing a macOS privacy protections bypass. (You may recall that I disclosed another one last year.) The privacy protections system (also known as TCC: Transparency, Consent, and Control) was introduced in macOS Mojave, and one of its purposes is to protect certain files on your Mac from access by unauthorized apps. I’ve discovered a way for an unauthorized app to read the contents of protected files, thus bypassing the privacy protections. This issue exists in Mojave, Catalina, and the Big Sur beta. It remains unaddressed and is, therefore, in one sense, a zero-day.

He goes on to produce a timeline illuminating on a long, drawn-out process of reporting and following up on the exploit. It starts with reporting to Apple’s security bounty program, and Apple Product Security, on December 19th, 2019. Nearly a month later, he’s told that they hope to address it in the spring of 2020. Come spring, and after multiple update inquiries, he’s told they are still investigating it. This is even after the recent Big Sur beta is released. A day after being told that it’s still under investigation, on June 29th, he goes public with it.

Not the first discovery

This is not the first exploit he’s discovered either. The Register reports he discovered another in February 2019 that was still not fixed eight months after notifying Apple. It too is similar to this latest find, that one could also allow unauthorized access to directories containing sensitive user data. Upon following up on it, last October, he’d been informed it still had not been fixed. Perhaps Apple is merely waiting to fix these as it transitions away from Intel? This could be the case if some hardware-level detail is playing a factor in the exploit.

Peter Brosdahl

As a child of the 70’s I was part of the many who became enthralled by the video arcade invasion of the 1980’s. Saving money from various odd jobs I purchased my first computer from a friend of my...

Join the Conversation

4 Comments

  1. This is doubly bad by Apple. They were withholding payment to keep him from. Releasing in hopes of getting paid. That’s bs.

    As a security researcher you probably need to release it after that time because if you don’t and someone else discovers it through no fault of your own you might be held liable or under suspicion and potentially facing legal and civil lawsuites. That window of time is to protect the company, the expiration is to protect the researcher.

  2. Not defending Apple here, but I keep thinking there’s another side to this story we aren’t hearing.
  3. "Worlds most secure operating system" my ***.

    OS X, or MacOS as they have decided to revert the name to is highly problematic from a security perspective for many reasons.

    1.) Apple is very opaque about discovered vulnerabilities

    2.) Apple does not push out patches quickly, often waiting months for the next release, and sometimes does not patch them several releases in a row!

    3.) MacOS may be based on top of FreeBSD, and FreeBSD is very highly regarded for its security, but everything sitting on top of the base OS is programmed by Apple or third parties, and I personally have no faith in at all.

    4.) Most vulnerabilities in all operating systems stem from installed programs, not the underlying operating system itself, and there is absolutely nothing to suggest that installed applications are any more secure on MacOS than any other operating system. In fact, All linux distributions and the BSD’s have a huge advantage here due to their central package manager that keeps everything up to date.

    5.) Apple has a huge reputation for security among people who are uninformed. It is completely undeserved.

    If they want to improve, they need to be completely transparent with their bug reporting and patching plans. They need to patch and patch quickly. Have security updates weekly or biweekly like other platforms. Take security seriously! They ahve ridden the whole "Security by obscurity" bandwagon for too long, being a smaller target than the likes of Windows due to their smaller userbase, but there is absolutely nothing MacOS has as an advantage from a technical perspective compared to Windows, and they are far behind the likes of Linux and the BSD’s.

Leave a comment