They are literally helping out macOS users for free and you have nothing else to do but complain?
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Microsoft Discovered New 'Powerdir' macOS Vulnerability, Fixed in 12.1 Update
- Thread starter MacRumors
- Start date
- Sort by reaction score
Mojave's successor Catalina added a lot of hardening to the privacy controls, and they're not going to backport that.
I have zero qualifications to answer your question as I do not work on the macOS team or at Apple but I imagine replacing something like this is always time consuming and will produce bugs that need to be found. Developers always have to consider whether it's worth it to jump to newer technology.TCC is 10 years old now, and today is the first time that I've heard of it. 🥴
Here's an article from months ago talking about its history, design and weaknesses...
Bypassing macOS TCC User Privacy Protections By Accident and Design - SentinelLabs
TCC is meant to protect user data from unauthorized access, but design flaws mean users and malware can bypass TCC, even by accident.www.sentinelone.com
I'm surprised that Apple is using an SQL database for this. They have used XML-based plists (ie. "property lists") forever, and then took over the FoundationDB project, which I always thought would be fast, efficient and secure replacement. (Why isn't FoundationDB being used yet? Anyone know? Is it overkill?)
SQLite is a solid embedded database solution, but this seriously feels like a weakness when the database itself can be compromised simply by replacing a file on disk.
They could've put the info in a plist instead, yep. Maybe they wanted multiple forms of queries, e.g.:
SELECT * FROM access WHERE client == 'com.microsoft.VSCode';
SELECT * FROM access WHERE service == 'kTCCServiceAccessibility';
A plist locks you into either of those two: you either structure the file based on the client, or base on the service, but not both (or you end up with redundant data).
It's a distributed database, so it was probably never intended for their client OSes, but rather for iCloud.
It can't, though — generally speaking, you can't write to that file without SIP off.
This literally isn't true. Apple (Mac OS, iOS, etc.) has had a significant number of vulnerabilities reported in 2021.
Top 50 products having highest number of cve security vulnerabilities in 2021
Top 50 products having highest number of cve security vulnerabilities in 2021 Detailed list of software/hardware products having highest number security vulnerabilities, ordered by number of vulnerabilities.
www.cvedetails.com
* As a caveat, you need to bundle many vulnerabilities together across the software package noted. I.e: Windows 10 shares many of the same vulnerabilities as Windows Server, etc. Just like MacOS and iOS share many of the same.
They won't, sorry. They only support 2 OSes back, no matter what. The only real exception was when they had to renew the the certificates that OS installed check before running. There's a chance someone else could fix this, like what we see in the unofficial 10.5.9 "Sorbet Leopard" build. There's also a chance the bug doesn't exist outside of macOS 12 and 11, since Apple overhauled a lot of things in 11. I don't see any listings online to indicate this reign fixed in 10.15, nor any stating it needed/needs to be fixed. However, Apple's documentation has been less than par lately.
Yeah, that's what I said?
I'm guessing the bug does "exist" in the sense that Mojave's TCC was a lot less strict — but to make it stricter, you'd need to significantly change that subsystem, which is too much of an undertaking to be worth it to Apple.
Various TCC bugs were fixed in 10.15, but not this particular one. Unclear if it's affected.
Microsoft creates software for Windows, MacOS, iOS, Linux, Android etc.
Monitoring vulnerabilities across all platforms they create software for is in their best interest.
It's surprising this needs to be explained to anyone at all to be honest.
Which doesn't address the fact that Mojave is the last MacOS that supports 32 bit apps though.
You see, Apple released iOS 12.5.5 in 2021. In other words, they CAN support the older OS if they wanted to.
Their security research team also isn't the same as their OS development team.
Some of you don't understand Microsoft. They are one of the top security companies in the world. Do yourself a favor and look up their Security Graph.
One issue I have with security hunters is when they release the vulnerability to the public before the vendor has an opportunity to fix it (Google). I'm happy to see this was not disclosed until after a fix was available.
One issue I have with security hunters is when they release the vulnerability to the public before the vendor has an opportunity to fix it (Google). I'm happy to see this was not disclosed until after a fix was available.
I was relieved to see I am running 12.1. Ha! Haven’t been following the releases as closely these days.
Mac OS is literally #4 on the list.
THIS... I agree with you and my join date is years earlier than sw1tchers so because that apparently holds weight here?
Apple has a history of crediting BIG companies if they discover something, but small companies rarely get ANY recognition OR compensation !
Still, glad this issue is making the rounds today !
Still, glad this issue is making the rounds today !
If u are serious..... macOS is everything but OS X but in name. In fact to get the real number you have to add them both together 604 for macOS and 2956 for OS X and you get 3406 which means it's actually third not 4th.
And yes I'm aware the same adds up if add all windows together that are ntfs based.
"Tackle that guy!"
"Not my job."
"You're just standing there and he bumped into you as he ran by!"
"Not my job. I was supposed to block that guy over there but he ran right instead of left."
"That guy scored because we have prima donnas on our defense!"
Fake news. There, I said it; deal with it. ?
Amen! ?
I know, right?
Let that happen and let it become common knowledge. Nobody has their market locked down THAT tightly that they'll survive outright and blatant morality lapses. Not Microsoft, and not Apple.
Ooh! Ohh! I know why!
Why give credit to a company when it might just end up costing you more to acquire them?
In 1492, Columbus sailed the ocean Blue. You confused me so much I had to go back to rhyming to make my head stop hurting! ?
Sigh, if it is a big enough of a security issue, then they can and shall better fix it.
Like I said, Apple even released iOS 12.5.5 in September 2021, which is 3 years after initial release.