Unveiling Mac Security: Comprehensive Exploration of Sandboxing and AppData TCC
The blog analyzes macOS security, focusing on sandboxing, TCC, and SIP. It highlights over 40 vulnerabilities since mid-2023, discusses specific issues like CVE-2023-42947, and calls for improved disclosure and patching.
Read original article
The blog post by Zhongquan Li provides an in-depth analysis of macOS security mechanisms, focusing on sandboxing and the AppData Transparency, Consent, and Control (TCC) framework. It discusses the System Integrity Protection (SIP) feature, which restricts root access to prevent malicious software from altering protected files. The author explores various vulnerabilities, including a method to escape the application sandbox by launching non-sandboxed apps and the implications of quarantine protection on app execution. The post highlights over 40 exploitable logic vulnerabilities discovered since July 2023, with a particular emphasis on the challenges of disclosing these vulnerabilities due to Apple's response regarding unpatched issues. The author also details specific vulnerabilities, such as CVE-2023-42947, which allows the creation of app folders without quarantine attributes, and discusses the potential for abuse within the AppData TCC framework. The presentation aims to inform the security community about the current state of macOS vulnerabilities and the need for improved security measures.
- The blog discusses macOS security features, including System Integrity Protection and TCC.
- It highlights over 40 exploitable vulnerabilities found in macOS since mid-2023.
- The author presents methods for escaping application sandboxes and launching non-sandboxed apps.
- Specific vulnerabilities, such as CVE-2023-42947, are examined for their potential impact.
- The need for better vulnerability disclosure and patching by Apple is emphasized.
Related
3M iOS and macOS apps were exposed to potent supply-chain attacks
Vulnerabilities in CocoaPods server exposed 3 million apps to supply-chain attacks for a decade. Flaws allowed hackers to inject malicious code, compromising sensitive user data. Developers urged to prioritize security measures.
'Almost every Apple device' vulnerable to CocoaPods
Security researchers found vulnerabilities in CocoaPods, allowing malicious code insertion and remote code execution. Pod owners were at risk of a zero-click takeover. CocoaPods issued patches, emphasizing the need for secure software development practices.
Our Audit of Homebrew
Trail of Bits audited Homebrew, identifying non-critical security issues like sandbox escapes and unauthorized modifications. Risks in CI/CD workflows could expose credentials, highlighting the need for improved security practices.
Study finds organizations have a significant gap in security on macOS endpoints
A study by Picus Security reveals macOS endpoints prevent only 23% of cyberattacks, with rising malware threats and weak security practices, emphasizing the need for enhanced security measures in organizations.
The Mac Is a Power Tool
The evolution of MacOS security features has led to stricter measures that may hinder power users, suggesting a need for balance between safety and functionality, influenced by the iPad's environment.
1 comments> From a system design perspective, I believe User-Selected / User-Approved feature is one of the most powerful functions on Mac
Most people using computers and phones do not want to deal with ACLs or permissions or anything like that, instead they either want it to magically work (which is a bad idea since there is no implementation of that idea that is also secure), or they accept a system that will ask them based on their intent.
If we can figure out if something was intended (The 'User-Selected / User-Approved' part), we're going to have a much better time creating systems that make security acceptable and applicable for mass market users. It still won't be perfect, and you'll still have things like social engineering or simply ticking users into believing they want to do something, but at least the primary reasoning will exclude processes sneaking in all sorts of activity that is supposed to be based on what the user wants (mostly... different people want different things and you'll find incompatible needs on the outer edges of the spectrum).
Asking someone 10 times to approve full disk access for some random binary name that doesn't ring a bell isn't useful (as it doesn't really resonate with a normal user's intent). But asking if "Chat App" should be allowed to "Manage your payment cards" is something people can get pretty decent opinion on.
Related
3M iOS and macOS apps were exposed to potent supply-chain attacks
Vulnerabilities in CocoaPods server exposed 3 million apps to supply-chain attacks for a decade. Flaws allowed hackers to inject malicious code, compromising sensitive user data. Developers urged to prioritize security measures.
'Almost every Apple device' vulnerable to CocoaPods
Security researchers found vulnerabilities in CocoaPods, allowing malicious code insertion and remote code execution. Pod owners were at risk of a zero-click takeover. CocoaPods issued patches, emphasizing the need for secure software development practices.
Our Audit of Homebrew
Trail of Bits audited Homebrew, identifying non-critical security issues like sandbox escapes and unauthorized modifications. Risks in CI/CD workflows could expose credentials, highlighting the need for improved security practices.
Study finds organizations have a significant gap in security on macOS endpoints
A study by Picus Security reveals macOS endpoints prevent only 23% of cyberattacks, with rising malware threats and weak security practices, emphasizing the need for enhanced security measures in organizations.
The Mac Is a Power Tool
The evolution of MacOS security features has led to stricter measures that may hinder power users, suggesting a need for balance between safety and functionality, influenced by the iPad's environment.