A macOS developer has discovered a vulnerability that can bypass the security and privacy protections of operating system files.
Essentially, the TCC framework restricts the ability of applications on macOS to access certain protected files or folders. As an example, Johnson writes that an application may not have access to the ~ / Library / Safari folder unless explicitly granted.
In a blog post revealing the exploit, Johnson said there are two fatal flaws in protections: the exceptions are based on a package identifier rather than a file path, and the system only “superficially” verifies the code signature. of an application.
Therefore, an attacker can make a copy of an application in a different location on disk, modify the resources of the copy, and the copy of the application with modified resources will still have the same access to the file as the original application, in this case, Safari, “Johnson wrote.
An example of the disk and folder privacy protections that the exploit can bypass.
A developer-created proof of concept attack uses a flaw in Safari to exploit those vulnerabilities. It is a modified version of Safari that can access protected files and send private data to a server. The second application is the one that actually downloads and launches the modified Safari, a task that any application downloaded from the web can perform.
Due to the feat, Johnson claims that Mac’s privacy protections are “primarily a security theater and only harm legitimate Mac developers that allow applications to bypass them through many existing holes.”
The developer first revealed the bug to the Apple Security Bounty program in December 2019, prompting several months of round-trip updates. Although Apple Product Security told Johnson that they would fix the problem in spring 2020, it said it is still present in the beta version of macOS 11 Big Sur.
How to avoid or mitigate this vulnerability
Importantly, the exploit only really affects the privacy protections built into macOS Mojave and later versions. In other words, it brings macOS security to High Sierra and earlier versions.
Because of that, Johnson writes that the level of concern about the vulnerability really depends on “how you generally feel about macOS privacy protections.”
The exploit can be exploited by malicious apps with no sandbox on a Mac, so the best mitigation strategy would be to be cautious when downloading any non-Mac App Store app.
.
