App developer reveals that macOS Ventura has a security vulnerability that was reported 10 months ago
An app developer has revealed that macOS Ventura has a security issue that he reported to Apple 10 months ago. The vulnerability, in question, affects the App Management feature in the operating system.
What is App Management in macOS?
Apple introduced a new security feature in macOS Ventura, called App Management. It uses a policy that prevents an app from making unauthorized modifications to other apps. In this scenario, macOS notifies the user that an app wants to manage other apps, and that the attempt was blocked. Users may manually allow an app to update other apps from the Privacy and Security section under the System Settings. Since older versions of the operating system do not have the App Management feature, they are not affected by the following issue.
Unpatched security exploit in macOS Ventura 13.5.1
Jeff Johnson, an app developer (underpassapp.com), found a vulnerability that impacted App Management in macOS Ventura, and reported it to Apple on October 19, 2022. Two days later, he received an acknowledgement from the Apple Product Security Team. For context, Apple released macOS 13 Ventura on October 24th.
macOS' App Management's security system checks the signature of apps, to verify that apps that are signed by a developer do not modify apps from other developers. The exploit discovered by Johnson involves the App Sandbox in macOS. There are six methods using which an app could gain permissions to modify other apps, the 6th one is the exploit that Johnson discovered. Normally, a sandboxed app, even with limited file system access, shouldn't be able to modify files that are inside another app, unless it gained permissions to do so. However, the /Applications folder is included within the sandbox, using which a non-sandboxed app could gain access to a sandboxed app's files. This would extend the latter's sandbox.
Johnson has created a sample Xcode project with the source code for 2 apps, a non-sandboxed app and a sandboxed app that is embedded in the former. The non-sandboxed app asks for the path of a file to modify, and the Modify File button opens this file in the sandboxed helper app (a document-based app). The latter is able to overwrite the contents of the files and saves the file, which completely bypasses App Management's restrictions.
When a security vulnerability is found and reported to the vendor, researchers wait for a couple of months for a security patch to be released. The details of the exploit are usually published after the bug has been addressed. But, this particular security vulnerability remains unfixed in macOS Ventura 13.5.1. Apple released macOS 13.5.1 a few days ago to fix a bug that was preventing the location permissions manager from working correctly. Johnson remarked that the straightforwardness and ease of the bypass is truly stunning.
The developer had reported the App Management exploit in macOS Ventura under the Apple Security Bounty program, which allows users, security researchers, and experts to participate in, and report new security threats in Apple's operating systems. The Mountain View company rewards the person who reported the vulnerability, by paying them money. That depends on various factors such as the quality of the report, the type of vulnerability, number of affected users, etc.
It turns out that Apple had not paid Johnson for sharing his findings with the company. Since he had filed the bug under the bounty program, Johnson had waited patiently to see if Apple would fix the issue and reward his discovery. However, after waiting for 10 months, and not receiving a compensation for his effort, the developer says in his article, that he regrets participating in the Apple Security Bounty program. He also writes that it has been a frustrating time, and that he has lost confidence in Apple for failing to protect the security of Mac users, and that he feels guilty about not acting sooner.
Oddly, he was credited, along with a few others, for reporting a security issue that was patched in macOS Ventura 13.4. CVE-2023-32357 mentions Jeff Johnson, and the issue is related to apps that could retain access to system configuration files even after its permission is revoked. The bug, which was an authorization issue, was addressed with improved state management.
Here's the thing, this was not the issue that Johnson had found, and Apple had declined to share the information with him. It had informed the developer that his report had been helpful in fixing CVE-2023-32357, but he did not receive a bounty for it, since he was not the first person to have reported it to the company. Johnson had previously discovered a vulnerability that could bypass file privacy and security protections in macOS Mojave.