September 25, 2018 // 11:05 a.m.
Apple has officially released its latest mainstream operating system, macOS 10.14 Mojave, to the public - and a security researcher has responded by revealing its first zero-day security vulnerability, while hinting at having more waiting in the wings.
Released as a public beta back in June, macOS 10.14 Mojave brings with it a range of improvements: a system-wide dark theme, time-sensitive dynamic desktop backgrounds, 'stacks' of files based on type or user-specified metadata, a redesigned app store, and a quick-action feature set for Finder. More important than these, though, is the promise of improved security and privacy through features including an automatic password generator and prompts when websites or applications request access to a Mac's camera or microphone hardware.
It's these new security features that have been the focus of researcher Patrick Wardle's efforts: In an announcement posted to Twitter to coincide with Apple's formal launch of macOS 10.14 Mojave, Wardle demonstrates a zero-day vulnerability in the software's new privacy functionality which allows malicious applications to bypass them entirely to access supposedly-protected private data.
Confirming that the flaw affects both the previously-released beta builds and the latest 18A391 public release, Wardle hinted that the flaw isn't the only one he's found: 'If anybody has a link to [Apple]'s macOS bug bounty programme I'd like to report this & other 0days,' he writes, 'donating any payouts to charity.' Apple, however, runs a bug bounty programme only for its iOS mobile operating system and hardware platforms, not for its macOS desktop and laptop operating system.
Apple has an unfortunate history of security flaws in its software: From being able to log in as the root user with no password, a flaw fixed then embarrassingly reopened, to a back-door present from at least 2011 through to 2015 inclusive and a flaw which presented users with the disk encryption password for 'protected' volumes whenever the 'Hint' button was clicked, the company has come under fire for its software development processes and its approach to security.
As is usual for the company, Apple has not commented publicly on the flaw nor on a timescale for it to be patched.