App developer reveals that macOS Ventura has a security vulnerability that was reported 10 months ago
An app developer has revealed that macOS Ventura has a security issue that he reported to Apple 10 months ago. The vulnerability, in question, affects the App Management feature in the operating system.
The blog post published by the developer, (and spotted by Apple Insider), says that the issue had been discovered when macOS Ventura was released in October 2022.
What is App Management in macOS?
Apple introduced a new security feature in macOS Ventura, called App Management. It uses a policy that prevents an app from making unauthorized modifications to other apps. In this scenario, macOS notifies the user that an app wants to manage other apps, and that the attempt was blocked. Users may manually allow an app to update other apps from the Privacy and Security section under the System Settings. Since older versions of the operating system do not have the App Management feature, they are not affected by the following issue.
Unpatched security exploit in macOS Ventura 13.5.1
Jeff Johnson, an app developer (underpassapp.com), found a vulnerability that impacted App Management in macOS Ventura, and reported it to Apple on October 19, 2022. Two days later, he received an acknowledgement from the Apple Product Security Team. For context, Apple released macOS 13 Ventura on October 24th.
macOS' App Management's security system checks the signature of apps, to verify that apps that are signed by a developer do not modify apps from other developers. The exploit discovered by Johnson involves the App Sandbox in macOS. There are six methods using which an app could gain permissions to modify other apps, the 6th one is the exploit that Johnson discovered. Normally, a sandboxed app, even with limited file system access, shouldn't be able to modify files that are inside another app, unless it gained permissions to do so. However, the /Applications folder is included within the sandbox, using which a non-sandboxed app could gain access to a sandboxed app's files. This would extend the latter's sandbox.
Johnson has created a sample Xcode project with the source code for 2 apps, a non-sandboxed app and a sandboxed app that is embedded in the former. The non-sandboxed app asks for the path of a file to modify, and the Modify File button opens this file in the sandboxed helper app (a document-based app). The latter is able to overwrite the contents of the files and saves the file, which completely bypasses App Management's restrictions.
When a security vulnerability is found and reported to the vendor, researchers wait for a couple of months for a security patch to be released. The details of the exploit are usually published after the bug has been addressed. But, this particular security vulnerability remains unfixed in macOS Ventura 13.5.1. Apple released macOS 13.5.1 a few days ago to fix a bug that was preventing the location permissions manager from working correctly. Johnson remarked that the straightforwardness and ease of the bypass is truly stunning.
The developer had reported the App Management exploit in macOS Ventura under the Apple Security Bounty program, which allows users, security researchers, and experts to participate in, and report new security threats in Apple's operating systems. The Mountain View company rewards the person who reported the vulnerability, by paying them money. That depends on various factors such as the quality of the report, the type of vulnerability, number of affected users, etc.
It turns out that Apple had not paid Johnson for sharing his findings with the company. Since he had filed the bug under the bounty program, Johnson had waited patiently to see if Apple would fix the issue and reward his discovery. However, after waiting for 10 months, and not receiving a compensation for his effort, the developer says in his article, that he regrets participating in the Apple Security Bounty program. He also writes that it has been a frustrating time, and that he has lost confidence in Apple for failing to protect the security of Mac users, and that he feels guilty about not acting sooner.
Oddly, he was credited, along with a few others, for reporting a security issue that was patched in macOS Ventura 13.4. CVE-2023-32357 mentions Jeff Johnson, and the issue is related to apps that could retain access to system configuration files even after its permission is revoked. The bug, which was an authorization issue, was addressed with improved state management.
Here's the thing, this was not the issue that Johnson had found, and Apple had declined to share the information with him. It had informed the developer that his report had been helpful in fixing CVE-2023-32357, but he did not receive a bounty for it, since he was not the first person to have reported it to the company. Johnson had previously discovered a vulnerability that could bypass file privacy and security protections in macOS Mojave.
Really the only thing I dislike about MacOS as a whole is the way Apple updates the OS with huge update file downloads. Actually 700Mb is small compared to some Apple has released which are in the gigabyte size. These large file sizes also translate to long update times as well.
I like Emre, Onur, Shaun and Eray’s articles more, Ashwin and Martin are always complaining about something instead of getting excited and sharing their excitement with the world.
Ever since I started bookmarking their pages my mood has been so much better, I’m glad to be free of the depressing vibe the two of them have. Damn it feels good to just enjoy life and not look for things to complain like I used to while I were under their influence.
Personally I really like @Ashwin and @Martin articles both equally. Please respect the authors.
You realize that none of the authors you like are real people, right? They are AI bots ‘writing’ articles that are basically taken from product advertisements (e.g., “Get Protected the Right Way With Avast Free AntiVirus” Really?) So, yes they are excited, but the excitement comes from advertising copy. No real world negativity from those sources.
My approach is to use a UBlock Origin filter to block all the articles except those by Martin and Ashwin. It has made the site readable again for me.
I would like to achieve that as well. Mind sharing some UBlock tricks & tips? :)
@ Anonymous,
Go to this link from yesterday https://www.ghacks.net/windows-11-update-stuck-fixed-for-good/#comment-4573146 and scroll down to the post by “Anonymous said on September 2, 2023 at 1:33 pm” He (or she) posted instructions on how to skip articles written by users other than Martin and Ashwin.
You might want to consider changing your name before you post to make it easier for users to identify your comments.
@Herman Cost
You can add this to your rules in uBlock Origin:
ghacks.net##.hentry,.home-posts,.home-category-post:not(:has-text(/Martin Brinkmann|Ashwin/))
@John World. Than you dude. So much better.
Why does Martin even allow this garbage to ruin his website. Every single article not written by martin and ashwin reads like sensational clickbait, I don’t care about if I should buy the latest apple product every week, new roblox cock rings that don’t pull your pubic hair, elon musk’s new body spray or whatever bullshit these bots can come up with.
I think he means your filters
+I like Emre, Onur, Shaun and Eray’s articles more
you’ve made my day
It’s not the EU’s fault that Bing is such a crappy search engine. In any event it’s built into the OS and Microsoft does its best to convince users to adopt it over Google by making it the default search tool. A great Many Windows 11 users are not technically minded and don’t know how to switch to another search engine and just accept their lot.
In any event I hope the EU Commission doesn’t allow Microsoft to pull the wool over their eyes.
Both Google and Bing are now worthless. Nowadays, Yandex is the only search engine that finds anything I’m looking for.
Try https://sear.be.
Yandex is Russian and under Putin’s control. Search results you get may not be accurate and possibly manipulated to give you a false sense of security depending on what you’re looking for.
Bing is absolutely a gatekeeper. Except for countries such as China and Russia that have their own search engines (Baidu and Yandex), most of the world’s searches relies on just two search engines: Google and Bing.
Alternative search engines overwhelmingly get their search results from Bing. DuckDuckGo, Ecosia, Qwant, Swisscows, Excite, Lycos, Yahoo, You, etc. all use Bing behind the scenes for their results.
StartPage originally used the Google search engine for it’s results, but have also started using Bing as well recently.
Microsoft also use Bing as the default search engine in Windows (such as the Start menu search, Taskbar search, desktop search bar, Edge sidebar, etc.) and use Bing as the default search engine in Edge – which is the default browser on Windows. Windows has greater than 70% desktop market share and is used by more than two billion people.
Not to mention Microsoft’s anti-consumer efforts when it comes to Bing. They have a history of malicious intent by aggressively trying to trick users who use a different search engine and browser into resetting their default search engine and browser back to Edge and Bing (by displaying unscrupulous popup dialogue boxes and full screen pages prompting the user to change their settings back to the “recommended settings” – which is Edge and Bing).
@ ECJ,
Microsoft’s Bing has managed to sidestep the EU’s Digital Markets Act for now arguing that it doesn’t qualify as a gatekeeper: https://www.computerworld.com/article/3705935/eu-lists-gatekeepers-to-be-regulated-opens-imessage-and-bing-investigations.html
The easiest way to avoid Bing is never to use Edge. It’s not mandatory and you’re free to use which browser you wish. I use Floorp myself which is a Firefox fork with many extra privacy configurations. https://floorp.app/en/download/
“A report claims that Apple is developing an affordable MacBook series”
Its is time to stop posting Rumors as reports.
Apple has already a Chrombook killer. It is called : iPad.
I can see Apple getting concerned about losing sales to Chrome OS devices. Given that K-12 kids have probably been using Chromebooks and would be familiar with that platform going off to college. I remember when Apple ruled K-12 computer rooms and because they simply out priced the educational sector. Google managed to take a huge bite out of educational market especially with COVID. I never thought iPads worked in a K-12 setting, and mac’s are too expensive. I doubt Apple can really make a MacBook below $500 which would compete with Chromebooks.
I managed hundreds of ipads for schools when I worked at an MSP – ipads are certainly OK, and boy are they hundreds of times better than Android tablets. Chromebooks suck so much, their market penetration into school system became real when schools received a bunch from government
Apple has always had great diffculty grasping what “low cost” means. I don’t have much faith in them ever generating anything that can compete with a Chromebook, but I’ll buy it if they do. I don’t want a Google OS, Windows is getting painful, and I’m tired of hearing how great Linux is from people who don’t use it.
I agree with the posters above about the usefulness of using a uBO filter to limit the posts I see on this site to those from Martin and Ashwin.
While Apple has patched iOS 16 for this, they haven’t yet indicated if they’re going to for supposedly-still-getting-security-updates iOS 12 (the latest OS option for the millions of still-in-use iPhone 6) and iOS 15 (still in use on millions of iPhone 6s to 8, which can’t be upgraded to 16).
I hope they do. Long-term support is one area where Apple phones crush Android, and it’s the #2 reason I use them (#1 is because not a privacy nightmare).
Apple has now released security updates for iOS 12 and 15 to address this issue. This is how you keep loyal customers.
Released an update for iOS 15, yes; for iOS 12, no. It’s not clear from reading their release notes if this means iOS 12 is not affected, or if they’re just not bothering.
M3 won’t move the needle much on performance. Honestly, Apple has put itself in a bind making the M1 really good. Probably the first time when Mac users can have some real lasting performance. But that also means that many won’t be persuaded to upgrade as often either. I am using a M1 MacBook Air and a M1 Mac mini and have yet to even entertain upgrading to a M2 or even a future M3 model of either because I am very satisfied with the M1 performance.
I like iPhone in general have owned iPhones for many years. But I don’t see these Apple events inspiring me to want to upgrade and spend hundreds to get what few improvements offered up.
People still watch this nonsense? As I get older technology no longer excite me.
I love it – Apple took an objectively bad thing and turned it into something people don’t hate. “It’s not that our front camera/sensors cover up screen real estate, this is uhh, a dynamic island… Yeah! It’s a feature actually, you’re lucky to have it”.
@ bruh,
I like iPhone too, but you have to be a virtual millionaire these days to own one and I don’t have the kind of money required to purchase one I’m afraid.
2015??
“Sorry Series 8, Apple Watch Series 9 is as powerful as it is handsome”
“Apple to release iOS 17 and iPadOS 17 on September 18, and macOS Sonoma on October 26”
“Apple unveils the Apple Watch Series 9 and Watch Ultra 2”
“Apple Watch Ultra 2 packs a punch to the older generation”
“Does it make sense to upgrade to iPhone 15?”
“iPhone 15 Pro and iPhone 15 Pro Max with Ray Tracing, Action Button announced”
“Apple announces iPhone 15 series with USB-C port, Dynamic Island”
Seven Applespams, all pushed out within a few hours. You should rename this site “AppleHack”.
I can’t believe people waste their money on smartwatches. The world has truly gone insane.
A total waste of money. Thats why people can’t afford basic necessities anymore. They just keep falling for Apple’s BS every year.
That is, if you don’t mind paying for Apple and their US Gestapo friends reading your most intimate data to use it against you.
> Apple also updated the macOS Sonoma 14 web page to reveal the release date of its desktop operating system. Sonoma will be released on October 26.
This is not true. The website says September 29. I have no idea where your October 26 comes from.
> Rumors suggest that Apple could announce the first M3 Mac in October, though another reliable leaker quashed hopes for any new MacBooks.
I am not aware of any _current_ rumor that suggests that there will be a M3 Mac before 2024.
Is this again an AI written article?
Just an FYI on the USB C situation.
The iPhone 15 and 15 Plus only use the USB-C end-connector. The actual cable attached to it transfers data at the many years old Lightning cable speed, which is USB 2.0 based. (Max 480 Mbits/s in ideal lab conditions.)
If you want iPhone USB data transfer at true USB 3.0 speed, then you have to pay more to buy the iPhone 15 Pro or 15 Pro Plus, which transfers data at actual USB 3.0 speed (5 Gbit/s in ideal lab conditions).
Just another example of Apple using absurd (and very mean-spirited, IMO) down-grading of their lower-priced phone hardware. I mean, who else would sell an $799+ phone in 2023, using a data port that transfers at USB 2.0 speed?
The USB 2.0 spec was published in year 2000, 23 years ago.
The USB 3.0 spec was published in 2008 and the USB C connector spec was published in 2014, tho not widely adopted til paird with USB 3.2 in 2017, fyi.
Man, I find this stuff so cringy – but obviously, it appeals to a certain type of person. I have no issue with Apple, my only issue is that every other hardware and software manufacturer seem to just be trying to copy Apple, instead of coming up with original ideas & visions. I don’t blame Apple for “innovating” in whatever direction they feel necessary, I’m just annoyed that nobody else is,,,
Android is looking more like iOS, Windows 11 is looking more like MacOS, I had to set up a “premium” high-spec Dell laptop recently at work which just looked like a knock-off Macbook. It’s just sad.
People aren’t going to buy stuff that strays too far from the norm. Take for example foldables. I haven’t seen anyone personally that has one, nor are they “taking the market by storm”.
RE: Android looking more like IOS:
That ‘Material You’ garbage is thankfully nowhere near iOS. I think you might be referring to Samsung’s UI though. They try to keep things like Apple to win over Apple users (I think anyways). If it weren’t for Samsung’s UI though, Android would be totally a non-option for me, as Material You is just plain ugly.
I agree that it’s all so cringeworthy and juvenile. I’ve never understood the attraction of Apple products.
Looking forward to Jpeg-XL going mainstream.
Modern hardware and displays need image formats supporting HDR and more than 8bit color depth.
I don’t see the big deal about iPhone 15. Only reason why I bought one was because I was tired of my small iPhone 13 Mini. Otherwise, the 15 is just another incremental upgrade. Unless you have a iPhone unsupported or broken. I think spending $800 plus for a smartphone every couple years is ridiculous.
Simple solution: power it off. Enjoy the freedom.
The longer it takes you to fix the comment problem, the greater the lack of respect for your readers.
I suspect that they are intentionally leaving commenting broken.
—
On a side note, I’ve just bought an i15Pro and I always make it a point to decline analytics, however when I checked the location settings, it had iPhone Analytics enabled. Truly angering….
This is not true.
Love wading through the ancient, 100% unrelated garbage comment muck to get to the few actually about the post. Thanks for wasting everyone’s’ time.
Why can’t you recognise how useless and annoying that crap is???