Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Bypass Flaw in Newly Released macOS Mojave Update Lets Hackers Access Protected Files
- Thread starter MacRumors
- Start date
- Sort by reaction score
Nothing is going to change the fact that there will always be bugs and security flaws, so we can safely ignore that to make our decisions.
Major changes introduce new problems not present in previous versions. Older versions have been tested in the wild for longer so its major problems should be fixed (in principle).
Security is not the only concern. For example, in the past new macOS versions have been notable for breaking Adobe apps. It seems this time Adobe has made its homework, but it's a first in a very long time.
Hell, it would have been present in the GM which was released almost 2 weeks ago. That's the whole point of releasing a GM - to find and fix last minute issues before the official release
Still Free. Apple used to charge for these upgrades before @ $129, Macs have always been priced on the higher end, so you can't debate that they cost more now because you're paying for the software upgrades, with inflation they still cost about the same they did when Apple charged for upgrades. Case closed, it's free software, stop complaining.
This reminds me of that time that Apple released a version of iMacOSx that allowed people to gain root by just pressing enter with no password... I love Apple's new beta-testing program... where they release beta software as if it's release-ready, to find the bugs they used to find and crush BEFORE releasing their new OS to the general user populace.
Researcher Patrick Wardle, who has uncovered many security flaws in Apple's macOS operating system, today shared some details on a new vulnerability that he's found in the newly released macOS Mojave update.
As outlined by BleepingComputer, Wardle discovered that he was able to access Contacts data from the address book using an unprivileged app, as demonstrated in the video below.
According to Wardle, the vulnerability is a result of the way that Apple implemented new macOS privacy protections in the Mojave update.The bypass does not work with all of the new privacy protection features in macOS Mojave, and hardware-based components, such as the webcam, are not affected. Full details on the vulnerability are not available yet, as Wardle plans to share technical details in November.
In the macOS Mojave update, Apple made a change that requires explicit user consent for apps to access location data, camera, contacts, calendars, reminders, messages history, Safari data, mail databases, and other sensitive data, which should prevent the vulnerability that Wardle demonstrates.
Apple will undoubtedly address the security flaw discovered by Wardle in an upcoming update to macOS Mojave.
Article Link: Bypass Flaw in Newly Released macOS Mojave Update Lets Hackers Access Protected Files
That was a long time ago - the most recent upgrades they charged for were $39 and $29 before they went free, if I recall correctly.
By this time, I think we should all agree that software is a flawed mechanism to store secure data. There is always some vulnerability somewhere. In a second, someone anywhere in the globe can hack your files and downloads GBs of your personal data everything from bank statements, personal emails, chat history, browsing history, home videos, even personal diaries....
We really should take a step back... not everything should be connected, stored online, and synced...
We really should take a step back... not everything should be connected, stored online, and synced...
Theres always an exploit. No software can be 100% secure. Apple will release a fix for this within a few weeks anyway.
The question is why do they release it free and why they insist and nag people to continuously upgrade? Surely its more profitable for them this way.
I have learned that Windows 7 still makes like 40% of the PC userbase... that was released 9 year ago.. thats Snow Leopard in Mac years!
There's one for iOS but none and never has been for macOS. It really shows how their priorities are aligned.
As a programmer, I can completly understand this guy. His video is full of bitterness towards Apple and jokes (have you seen contacts list?). He wanted to show that their QA is laughable and there's help to be had, you just have to spill some of those coins, you know?
As to people who say he should let them know for free. Some people do that because they're nice. Some people do that because they are researchers at Google, Cisco or some other company that pays them to do this. Some people could use money just because they spent time digging these bugs. Little do you know that such exploits are worth a lot on black market and if it's not Apple paying for data, it will be some national agency (if exploit is good enough).
Did the guy do bad for showing it? Probably. Did Apple do bad by not offering bug bounty yet? Yes?!
I think it is perfect timing. The more attention these issues get the better for consumers. As long as he doesn't sell zero day on blackmarket but shares it with public i am good with it.
Seems like you are more concerned with reputation of the brand Apple than their customers security.
Waiting to update will allow others (early adopters = testers
) to find some of those flaws that are fixed / patched by the time version xx.3 is released.Unfortunately, my 2008 Mac Pro is still at OS X 11.6 because no new Mac Pro has been released or even announced. The newest has electronics that are 4+ years old which means I am not spending good money on an old computer.
Vulnerabilities like this are discovered every day. We, as ethical researchers, should follow the industry standard of reporting these vulnerabilities so that the customer gets the fix as fast as possible, and that information on the vulnerabilities does not leak out.
It does not matter that it was Apple, it could have been Microsoft releasing the latest Windows 10 "creator update" or whatever they are flavoring their builds as. If you have knowledge of a vulnerability during beta, you report it during beta and they fix it during beta. It is that simple.
This guy took the time to discover the vulnerability, write an exploit for it that worked, then sat on his hands until release day to make a statement and get publicity. That is what I have an issue with. It was unethical, and unprofessional.
Yes, have you? They're roughly on parity for 2017 and 2018, and then when you take into account the difference in userbase, guess which is a bigger target?
Wardle characterized the flaw as trivial and it doesn't concern me. I'm glad I updated on day one as I always do, this is the best MacOS I have used to date and have experienced zero issues.