PSA A security researcher has discovered a vulnerability in macOS that could allow an attacker to view every file on the system. Using it, hackers can bypass every layer of Mac security, change core system files and gain access to webcams. Apple patched it last year, but older macOS versions are still vulnerable.
Apple patched a critical vulnerability in macOS Monterey last October, but older versions are still vulnerable to code injection methods that could leave Macs running wide open . There are no known cases of attackers using the vulnerability, but it could reveal sensitive information or grant hackers elevated privileges.
The vulnerability can bypass two major security measures designed by Apple to prevent malicious code from spreading through the system. The first is the macOS sandbox, which is supposed to confine malicious code to the apps it infects. The second, System Integrity Protection (SIP), prevents authorized software from accessing sensitive files. None of this prevents vulnerabilities in unpatched systems.
The vulnerability works by hijacking the way macOS suspends programs when the user idles or shuts down the system. When the application needs to wake up, the system reads certain files to bring them out of the save state. This saved state is not as secure as the application during normal operation.
researcher Thijs Alkemade found a way to change the files macOS reads when reactivating suspended apps, which allowed him to run code in ways the system didn’t want. Alkemade can be reused to jump to different applications and eventually bypass SIP to change some system files. The company fixed the bug after he reported it. However, this will only protect users running the latest version of macOS.
Previous events have shown that Apple tends to tinker with the latest versions of its operating systems, although many users don’t do upgrades. In November, a cyberattack in Hong Kong exploited a vulnerability that Apple had already patched in Monterey’s predecessor, Big Sur. The affected systems were running a previous version, Catalina, which Apple only fixed after the attack.
While probably nobody has used the latest exploit so far, it seems serious enough that Apple should fix it soon from older macOS versions like Big Sur and Catalina .
