Apple attempted to fix the flaw multiple times throughout 2022, but each time, Fitzl says, he was able to find a workaround for the company’s patch. Finally, Apple took a bigger step in Ventura and made more comprehensive changes to how it manages the permission for security services. In doing that, though, the company made a different mistake that’s now causing the current issues.
“Apple fixed it, and then I bypassed the fix, so they fixed it again, and I bypassed it again,” Fitzl says. “We went back and forth like three times, and eventually they decided that they will redesign the whole concept, which I think was the right thing to do. But it was a bit unfortunate that it came out in the Ventura beta so close to the public release, just two weeks before. There wasn’t time to be aware of the issue. It just happened.”
If you use a security scanner on your Mac and you update to macOS Ventura, check the program directly to see if it’s flagging an error. The workaround to fix the problem is simple once you know to do it. In System Preferences go to Security & Privacy, then the Privacy tab, and then Full Disk Access. Click the lock icon in the lower-left corner of the screen and authenticate with your system password to allow changes. Then uncheck the box next to any security services that are malfunctioning, to let the system know you want to disable their permission. Click the lock in the lower-left corner again to save the change, then redo the process and recheck the relevant boxes to freshly enable the permission without the flaw.
“Once you upgrade to Ventura, you could run a Malwarebytes scan, but it wouldn’t scan everything that it could if it had full disk access, and all of the real-time protection features are completely disabled,” Malwarebytes’ Reed says. “We get handicapped if we don’t get full disk access. And there are a number of ways that you could tell if Malwarebytes is not functioning properly, but if you’re not looking in the right places or you disabled certain settings, you might not notice. With other security clients, it’s probably similar—if you’re not interacting with it, you might not know.”
Researchers noticed—and Apple confirmed to WIRED—that the bug doesn’t happen when large organizations use Apple’s “mobile device management” program to upgrade their fleet of devices to Ventura. This is significant, because if the bug carried over to managed enterprise devices, it would mean yet another reason for companies to put off important software updates.
MacOS security researcher Patrick Wardle, founder of the Objective-See Foundation, says that he still recommends regular users upgrade their Macs to Ventura to get the new operating system’s other security and privacy protections. In the meantime, though, Wardle says he has been deluged by bug reports about his free, open source malware monitoring tool, BlockBlock. The Ventura bug even makes it appear that security services like BlockBlock and Malwarebytes have been granted extra system access beyond what these programs request, including the accessibility permission, access to input monitoring, and even screen recording.
“Users were understandably asking me, ‘Why does your tool need that?!’ And I’m like, ‘Uh, I have no idea. It doesn’t!’” Wardle says. “It shows that when Apple is pushing out security fixes for reported bugs, they’re still struggling to do that comprehensively and successfully without breaking other things. And in this case, they’re shipping a version of their operating system that is breaking security tools for millions, if not tens of millions, of users. It’s frustrating and disheartening.”
Independent researcher Fitzl, who presented his original disabling permission vulnerability findings at Black Hat Asia in May and Wardle’s Objective-See Mac and iOS security conference at the beginning of October, says that he’s sympathetic about the misstep.
“Apple was trying to redesign this thing to fix all of my bypasses, and they made a mistake—it happens,” he says. But he adds, ruefully, that the whole situation has played out in an unfortunate way. “I felt a bit weird about all of these issues and knowing that I pushed Apple into this because I was trying to get something else fixed.”
