The release of Apple’s new macOS 13 Ventura operating system on Monday brought a host of new features to Mac users, but it’s also causing problems for users who rely on third-party security programs like malware scanners and monitoring tools.
In the process of patching a vulnerability in the eleventh Ventura developer beta, released on October 11, Apple accidentally introduced a flaw that cuts off third-party security products from the access they need to do their scans. And while there is a workaround to grant the permission, users who upgrade their Macs to Ventura may not realize that anything is amiss or have the information needed to fix the problem.
Apple told WIRED that it will resolve the issue in the next macOS software update but declined to say when that would be. In the meantime, users could be unaware that their Mac security tools aren’t functioning as expected. Meanwhile, the confusion has left third-party security vendors scrambling to understand the scope of the problem.
“Of course, all of this coincided with us releasing a beta that was supposed to be compatible with Ventura,” says Thomas Reed, director of Mac and mobile platforms at the antivirus maker Malwarebytes. “So we were getting bug reports from customers that something was wrong and we were like, ‘crap, we just released a flawed beta.’ We even pulled our beta out of circulation temporarily. But then we started seeing reports about other products, too, after people upgraded to Ventura, so we were like, ‘uh oh, this is bad.’”
Security monitoring tools need system visibility, known as full disk access, to conduct their scans and detect malicious activity. This access is significant and should only be granted to trusted programs, because it could be abused in the wrong hands. As a result, Apple requires users to go through multiple steps and authenticate before they grant permission to an antivirus service or system monitoring tool. This makes it much less likely that an attacker could somehow circumvent these hurdles or trick a user into unknowingly granting access to a malicious program.
Longtime macOS security researcher Csaba Fitzl found, though, that while these setup protections were robust, he could exploit a vulnerability in the macOS user privacy protection known as TCC or Transparency, Consent, and Control to easily deactivate or revoke the permission once granted. In other words, an attacker could potentially disable the very tools users rely on to warn them about suspicious activity.
Apple attempted to fix the flaw multiple times throughout 2022, but each time, Fitzl says, he was able to find a workaround for the company’s patch. Finally, Apple took a bigger step in Ventura and made more comprehensive changes to how it manages the permission for security services. In doing that, though, the company made a different mistake that’s now causing the current issues.
“Apple fixed it, and then I bypassed the fix, so they fixed it again, and I bypassed it again,” Fitzl says. “We went back and forth like three times, and eventually, they decided that they will redesign the whole concept, which I think was the right thing to do. But it was a bit unfortunate that it came out in the Ventura beta so close to the public release, just two weeks before. There wasn’t time to be aware of the issue, it just happened.”
