A macOS Ventura Flaw Breaks Third-party Security Software

While the October 24 release of macOS 13 Ventura brought many improvements to Macs, it has created issues for customers who rely on third-party security software, including virus scanners and monitoring tools.

Apple introduced a bug in the 11th Ventura developer beta, released on October 11, while trying to fix a vulnerability in the previous beta. The bug prevents third-party security programs from accessing critical system data. Though a workaround exists to enable this permission, users who have upgraded to Ventura on their Macs may be unaware of the issue or lack the knowledge to address it.

Apple assured WIRED that the problem will be fixed in the upcoming macOS software update, but the company wouldn’t provide a release date. There may be a period during which customers are blissfully unaware of the fact that their Mac’s security features aren’t performing as advertised. The uncertainty has made it difficult for independent security firms to assess the gravity of the situation.

“Of course, all of this coincided with us releasing a beta that was meant to be compatible with Ventura,” explains Thomas Reed, director of Mac and mobile platforms at antivirus firm Malwarebytes. Customers started reporting issues, and we realized “crap, we just released a defective beta.” Even for a short time, we withdrew our beta from general use. However, as consumers upgraded to Ventura, we started hearing about issues with other products, and we thought, “Uh oh, this is horrible.”

macOS Ventura
macOS Ventura

Full disc access, or system visibility, is required for security monitoring software to perform scans and detect malicious activity. Since this privilege could be misused in the wrong hands, it should be restricted to only the most reliable applications. Therefore, Apple necessitates that customers go through several authentication phases before allowing an antivirus service or system monitoring tool access to their devices. As a result, the chances of an attack succeeding are greatly reduced, as are the chances of a user unwittingly gaining access to dangerous software by falling for an attacker’s ruse.

However, longtime macOS security researcher Csaba Fitzl discovered that despite the robustness of these setup precautions, he could quickly deactivate or withdraw the privilege once granted by exploiting a weakness in macOS’s user privacy protection known as Transparency, Consent, and Control. This means that the very tool that consumers rely on to notify them about suspicious activity could be rendered ineffective by an attacker.

Despite Apple’s repeated attempts to patch the vulnerability throughout 2022, Fitzl claims he was always able to find a workaround. Apple has finally taken a major step forward with Ventura, updating its permission management for security services in a far more thorough fashion than before. However, by doing so, the corporation created a new error that has led to the current predicament.

After “Apple corrected it,” Fitzl claims, “I bypassed the fix,” and then “Apple fixed it again,” and so on. I think it’s fair to say that we exchanged views three times before they settled on reworking the entire concept. Unfortunately, it appeared in the Ventura beta only two weeks before the official release, which was a bit of a letdown. It was impossible to have anticipated the problem. Things fell into place by themselves.

After installing macOS Ventura and using a security scanner, double-check the scanner to see whether it is reporting any problems. As soon as you realize what to do, the remedy is straightforward, and the problem is fixed. To enable Full Disk Access, select Security & Privacy from System Preferences, then the Privacy tab.

To enable modifications, select the lock symbol located in the bottom left of the screen and enter your system password. Then, if any of your security services are acting up, you may tell the system to stop granting them access by unchecking the box next to them. To fix the permission, you’ll need to disable it, make the necessary changes, and then re-enable them, all by clicking the lock in the bottom-left corner a second time.

macOS Ventura
macOS Ventura

Malwarebytes’ Reed explains that after the Ventura upgrade, while a scan can be performed, “it won’t scan everything that it could if it had full disc access,” and real-time protection is turned off entirely. If we don’t have complete access to the disc, we’re at a disadvantage. There are a few telltale signs that Malwarebytes is malfunctioning, but if you aren’t paying attention or have specific settings turned off, you can miss them. That’s presumably true of other security clients as well; if you’re not using them, you might not realize there’s a problem.

When major corporations utilize Apple’s “mobile device management” application to update their fleet of devices to Ventura, the flaw does not occur, as discovered by researchers and confirmed by Apple to WIRED. This is critical because if the flaw spread to devices operated by enterprises, it would give such organizations yet another excuse to delay implementing necessary software patches.

Patrick Wardle, the creator of the Objective-See Foundation and a researcher on macOS, believes normal users should still upgrade to Ventura to benefit from the new operating system’s additional security and privacy features. Meanwhile, Wardle writes that he has been inundated with bug reports concerning his free, open-source malware monitoring application, BlockBlock. With the Ventura flaw, it may seem as though security tools like Block and Malwarebytes have been permitted to do things like monitor input and record the screen beyond what they’ve asked for.

Users were questioning me, “Why does your tool need that?! ” which was understandable. I was like, “Uh, I don’t know. Not at all!’ So, according to Wardle. It demonstrates that Apple is still having trouble releasing complete and successful security solutions for disclosed problems without causing other issues. They have released an OS version that breaks security software used by millions, if not tens of millions, of people. It’s discouraging and aggravating all at once.

Despite his understanding, independent researcher Fitzl, who first disclosed his discoveries on the disabling permission issue at Black Hat Asia in May and Wardle’s Objective-See Mac and iOS security conference at the beginning of October, says he feels bad about the blunder.

He explains that “Apple was trying to develop this item to address all of my bypasses,” but that the company made a mistake. But he adds regretfully that things have turned very badly overall. Trying to solve anything else, “I felt a bit terrible about all of these difficulties and knowing that I drove Apple into this.”