Software Engineer Discloses Zero Day Vulnerability in Apple’s Application Management System
Jeff Johnson, a software engineer and developer, recently opened a zero-day vulnerability in Apple’s application management system called Ventura. Despite informing Apple about the issue ten months ago, the company has failed to take any action to address the problem. Johnson shared the details about the vulnerability in an article on his website, lapcatsoftware.com.
The Thorny Path of Disclosure
Last October, Johnson discovered a method to control the function of managing applications in macOS Ventura without requiring full access to the disk. He immediately reported this discovery to Apple Product Security. Although Apple acknowledged receipt of the report on October 21, no steps were taken to address the vulnerability. Frustrated with the lack of progress, Johnson decided to make the information public on August 19, 2023. The full article can be found on lapcatsoftware.com.
Problems with Apple’s Security Policy
Usually, developers inform the manufacturer about a vulnerability and wait for 60 to 120 days for a fix to be developed and released. However, Johnson chose to share the exploit publicly because he had lost confidence in Apple’s ability to address the issue in a timely manner. He also pointed out that Apple’s policy only rewards researchers after the release of a correction, which means he could wait indefinitely without receiving any compensation.
Technical Details of the Vulnerability
The vulnerability is related to the sandbox of applications. Johnson accidentally discovered that an isolated application within the sandbox could modify files that were supposed to be protected by the application management system. This includes files stored in packages of signed applications, which should have been safeguarded. Johnson provided an example in Xcode to demonstrate the issue, showing how the file rewriting bypasses the application management system in MacOS