Apple MacOS Ventura Bug Breaks Third-Party Security Tools

Credit to Author: Lily Hay Newman| Date: Wed, 26 Oct 2022 22:21:29 +0000

To revist this article, visit My Profile, then View saved stories.

To revist this article, visit My Profile, then View saved stories.

The release of Apple's new macOS 13 Ventura operating system on October 24 brought a host of new features to Mac users, but it's also causing problems for those who rely on third-party security programs like malware scanners and monitoring tools. 

In the process of patching a vulnerability in the 11th Ventura developer beta, released on October 11, Apple accidentally introduced a flaw that cuts off third-party security products from the access they need to do their scans. And while there is a workaround to grant the permission, those who upgrade their Macs to Ventura may not realize that anything is amiss or have the information needed to fix the problem. 

Apple told WIRED that it will resolve the issue in the next macOS software update but declined to say when that would be. In the meantime, users could be unaware that their Mac security tools aren't functioning as expected. The confusion has left third-party security vendors scrambling to understand the scope of the problem.

“Of course, all of this coincided with us releasing a beta that was supposed to be compatible with Ventura,” says Thomas Reed, director of Mac and mobile platforms at the antivirus maker Malwarebytes. “So we were getting bug reports from customers that something was wrong, and we were like, ‘crap, we just released a flawed beta.’ We even pulled our beta out of circulation temporarily. But then we started seeing reports about other products, too, after people upgraded to Ventura, so we were like, ‘uh oh, this is bad.’”

Security monitoring tools need system visibility, known as full disk access, to conduct their scans and detect malicious activity. This access is significant and should be granted only to trusted programs, because it could be abused in the wrong hands. As a result, Apple requires users to go through multiple steps and authenticate before they grant permission to an antivirus service or system monitoring tool. This makes it much less likely that an attacker could somehow circumvent these hurdles or trick a user into unknowingly granting access to a malicious program. 

Longtime macOS security researcher Csaba Fitzl found, though, that while these setup protections were robust, he could exploit a vulnerability in the macOS user privacy protection known as Transparency, Consent, and Control to easily deactivate or revoke the permission once granted. In other words, an attacker could potentially disable the very tools users rely on to warn them about suspicious activity. 

Apple attempted to fix the flaw multiple times throughout 2022, but each time, Fitzl says, he was able to find a workaround for the company's patch. Finally, Apple took a bigger step in Ventura and made more comprehensive changes to how it manages the permission for security services. In doing that, though, the company made a different mistake that's now causing the current issues.

“Apple fixed it, and then I bypassed the fix, so they fixed it again, and I bypassed it again,” Fitzl says. “We went back and forth like three times, and eventually they decided that they will redesign the whole concept, which I think was the right thing to do. But it was a bit unfortunate that it came out in the Ventura beta so close to the public release, just two weeks before. There wasn't time to be aware of the issue. It just happened.”

If you use a security scanner on your Mac and you update to macOS Ventura, check the program directly to see if it's flagging an error. The workaround to fix the problem is simple once you know to do it. In System Preferences go to Security & Privacy, then the Privacy tab, and then Full Disk Access. Click the lock icon in the lower-left corner of the screen and authenticate with your system password to allow changes. Then uncheck the box next to any security services that are malfunctioning, to let the system know you want to disable their permission. Click the lock in the lower-left corner again to save the change, then redo the process and recheck the relevant boxes to freshly enable the permission without the flaw.

“Once you upgrade to Ventura, you could run a Malwarebytes scan, but it wouldn’t scan everything that it could if it had full disk access, and all of the real-time protection features are completely disabled,” Malwarebytes' Reed says. “We get handicapped if we don’t get full disk access. And there are a number of ways that you could tell if Malwarebytes is not functioning properly, but if you’re not looking in the right places or you disabled certain settings, you might not notice. With other security clients, it's probably similar—if you’re not interacting with it, you might not know.”

Researchers noticed—and Apple confirmed to WIRED—that the bug doesn't happen when large organizations use Apple's “mobile device management” program to upgrade their fleet of devices to Ventura. This is significant, because if the bug carried over to managed enterprise devices, it would mean yet another reason for companies to put off important software updates. 

MacOS security researcher Patrick Wardle, founder of the Objective-See Foundation, says that he still recommends regular users upgrade their Macs to Ventura to get the new operating system's other security and privacy protections. In the meantime, though, Wardle says he has been deluged by bug reports about his free, open source malware monitoring tool, BlockBlock. The Ventura bug even makes it appear that security services like BlockBlock and Malwarebytes have been granted extra system access beyond what these programs request, including the accessibility permission, access to input monitoring, and even screen recording. 

“Users were understandably asking me, ‘Why does your tool need that?!’ And I'm like, ‘Uh, I have no idea. It doesn't!’” Wardle says. “It shows that when Apple is pushing out security fixes for reported bugs, they're still struggling to do that comprehensively and successfully without breaking other things. And in this case, they’re shipping a version of their operating system that is breaking security tools for millions, if not tens of millions, of users. It's frustrating and disheartening.”

Independent researcher Fitzl, who presented his original disabling permission vulnerability findings at Black Hat Asia in May and Wardle's Objective-See Mac and iOS security conference at the beginning of October, says that he's sympathetic about the misstep. 

“Apple was trying to redesign this thing to fix all of my bypasses, and they made a mistake—it happens,” he says. But he adds, ruefully, that the whole situation has played out in an unfortunate way. “I felt a bit weird about all of these issues and knowing that I pushed Apple into this because I was trying to get something else fixed.”

https://www.wired.com/category/security/feed/

Leave a Reply