This vulnerability lets an attacker view every file on a Mac

PSA A security researcher has discovered a flaw in macOS that could let an attacker view every file on a system. Using it, hackers can circumvent every layer of Mac security, alter core system files, and access the webcam. Apple patched it last year, but older macOS versions are still vulnerable.

Apple patched a severe vulnerability in macOS Monterey last October, but older versions remain susceptible to a code injection method that can break a Mac wide open. There are no known cases of attackers using the exploit, but it could leak sensitive information or grant a hacker elevated privileges.

The exploit can bypass two principal security measures Apple designed to stop malicious code from spreading through a system. The first, macOS Sandbox, is supposed to confine malicious code to the app that it has infected. The second, System Integrity Protection (SIP), stops authorized software from reaching sensitive files. Neither of these can stop the flaw in unpatched systems.

The vulnerability works by hijacking the way macOS suspends programs when a user leaves them idle or shuts the system down. When the apps need to wake back up, the system reads certain files to bring them out of a saved state. That saved state is less secure than apps are during normal operation.

Researcher Thijs Alkemade found a way to alter the files macOS reads when reactivating suspended apps, which let him run code in ways the system didn't intend. Alkemade could repeat the exploit to jump to different apps and ultimately bypass SIP to change some system files.

Alkemade's name appears among Apple's acknowledgments for patches from April and October 2021, indicating the company fixed the vulnerability after he reported it. However, this will only protect users running the latest versions of macOS.

Previous incidents have shown Apple favors patching the latest versions of its operating systems even though many users don't upgrade. In November, a cyberattack in Hong Kong utilized a vulnerability Apple had already patched in Monterey's predecessor, Big Sur. The affected systems were running the version before that - Catalina, which Apple only fixed after the attack.

Even though likely no one has used the latest vulnerability so far, it seems severe enough that Apple should probably patch it out of older macOS versions like Big Sur and Catalina sooner rather than later.