Thursday, June 6, 2019 [Tweets] [Favorites]

Security & Privacy in macOS 10.15 Beta

Advances in macOS Security:

We are on a journey to continuously improve macOS security, with a particular focus on preventing malware and protecting user data. Join us on the next step and learn more about what's new in Gatekeeper—for keeping malware out of macOS—as well as new protections that help keep users' data and activity under their control.

Kyle Howells:

Apple still refuses to put an “Allow” button on the macOS security prompts I can see.

Thomas Tempelmann:

And still no option to tell macOS that you trust an app accessing everything at once, instead of being asked for every detail separately? It’s already a pain with apps like iClip and Timing to be acknowledge them using AppleEvents on every app you touch.

Zack Whittaker (tweet):

But the protections [in macOS 10.14] weren’t very good. Those ‘allow’ boxes can be subverted with a maliciously manufactured click.

[…]

Wardle, who revealed the zero-day flaw at his conference Objective By The Sea in Monaco on Sunday, said the bug stems from an undocumented whitelist of approved macOS apps that are allowed to create synthetic clicks to prevent them from breaking.

Felix Schwarz:

Just when you thought kext development couldn’t get any more frustrating… a “New Feature” arrives.

DriverKit (Hacker News):

The DriverKit framework provides C++ classes for IO services, device matching, memory descriptors, and dispatch queues. It also defines IO-appropriate types for numbers, collections, strings, and other common types. You use these with family-specific driver frameworks like USBDriverKit and HIDDriverKit.

Felix Schwarz:

Wow! macOS #Catalina adds new frameworks to allow drivers to run IN USER SPACE & manage them via “SystemExtensions”!

More on macOS Catalina #DriverKit drivers:

- packaged alongside the app like modern app extensions.
- removed from the system when the host app is
- (possibly) can be dynamically loaded & unloaded them as needed using OSSystemExtensionRequests

In #SOTU, Apple just announced that “in a future #macOS release”, KEXTs targeting driver categories covered by #DriverKit will no longer work and encouraged developers to adopt #DriverKit now.

Jeff Johnson:

A lot of things bothered me yesterday, but I think the one thing that bothered me the most was 10.15 locking down the Documents folder.

In the past, Documents was the place that apps were supposed to use. Now it’s forbidden ground.

The Mac is dying from permission dialogs.

All About Notarization:

Notarization is all about identifying and blocking malicious Mac software prior to distribution, without requiring App Review or the Mac App Store. Introduced last year and already widely adopted by Mac app developers, this is your opportunity to take an in depth tour of Notarization workflows and find out what's new with the Notarization service.

Mark Munz (Rich Trouton):

‘All About Notarization was somewhat disappointing.

They kind of quickly explained Sparkle.framework issue. 🤷‍♂️

But looks like zero workflow improvements to automation & notarization. 😞

Jeff Johnson:

For Mac App Store apps, I suspect that Catalina will be a very easy update. Not many changes as far as I can tell.

For non-sandboxed apps on the other hand... I pray for you.

Steve Troughton-Smith:

Good news: macOS Catalina still respects your System Integrity Protection setting and lets you write to to the hard disk root if SIP is off

Previously:

Update (2019-06-10): Jeff Johnson:

Wait, according to the “Advances in macOS Security” video (9:30 mark), there’s no more first launch Gatekeeper dialog for standalone executables on Catalina?

Howard Oakley:

This changes again as of 1 June 2019 with respect to Catalina, but not (as far as we know) in Mojave. From that date onwards, all newly-signed apps and other executable code which undergo first run checks (because of a quarantine flag) are required to have been notarized. You can still run apps which haven’t been notarized or even remain unsigned in Catalina, though.

Update (2019-06-11): Rosyna Keller:

macOS never had a first launch prompt for anything not going through LaunchServices before. Catalina is the first to add it for quarantined files not going through LaunchServices.

Daniel Jalkut:

OMG tccutil in Catalina actually accepts the bundle ID it has claimed to accept for years:

% tccutil reset AppleEvents com.red-sweater.fastscripts

successfully reset AppleEvents approval status for com.red-sweater.fastscripts

Update (2019-06-18): SentinelOne:

10.15 sees some major developments that will affect both the enterprise and developers of security solutions. In this post, we round up what’s been announced so far and explain how it could affect you.

Update (2019-07-01): Peter Steinberger:

Catalina still offers “Allow apps downloaded from anywhere” if you use the terminal.

sudo spctl --master-disable

(Firefox updater stopped working without)

21 Comments

"More on macOS Catalina #DriverKit drivers:

- packaged alongside the app like modern app extensions."

Which seems totally dumb in so many cases for System Extensions.

Session 701 on Gatekeeper says in the future every binary will need to be Notarized. How will systems like brew continue to function? Every random open source developer is not going to fork over $99 to Apple for Developer ID.

I'd imagine they'd want someone managing Homebrew or MacPorts to notarize them if they distribute them as a binary otherwise the person running Xcode for installing from source will have to do it.

Another new annoyance I haven't seen mentioned before: downloading ZIPs in Safari adds more friction: you have to allow downloads form the website (similar to how custom protocols behave now) and ZIPs are no longer considered safe files and no longer automatically opened/unpacked.

@VS wow really? Ugh that is a terrible experience.

No simple way to run brew? More weird security shenanigans? Sounds like 10.14 is the last version of OS X I'll ever use.

FWIW, I just realized the other day that Gmail no longer allows .zip files to be sent. If you want to "send" a folder of files to someone, you have to upload it to Google Drive and then send a link. When did zip files become the bastard stepchild of the internet? WTF.

@VS: ”…and ZIPs are no longer considered safe files and no longer automatically opened/unpacked.”

To me that sounds like the right thing to do from a security perspective. I understand the friction, but automatically unzipping files is a known attack vector AFAIK. Like this recent example:
https://mjtsai.com/blog/2019/05/27/gatekeeper-symlinkautomount-bypass/

Lukas, it only affects binaries as I understand it. If you build from source with MacPorts or Homebrew it shouldn't be an issue. And both use a normal installer to install the initial binaries and so that will be signed. So for most uses it's irrelevant as I understand it. And honestly for the binaries since the both MacPorts and Homebrew have installers that are signed, they can also sign any binaries they distribute. Really not an issue at all.

@VS - June 7, 2019 9:30 AM

It is not limited to ZIP files - there is a site pref that can be toggled, or it can be set globally: Preferences > Websites > Downloads. The automatically opening of (ZIP) files I always found of very dubious safety.

Those are also available in the latest Safari Technology Preview.

[…] Advances in macOS Security (my post) […]

[…] Security & Privacy in macOS 10.15 Beta […]

[…] to resemble Windows and its barrage of confirmation dialog boxes. (For the related discussion, see Security & Privacy in macOS 10.15 Beta on Michael Tsai’s […]

[…] Security & Privacy in macOS 10.15 Beta […]

[…] Security & Privacy in macOS 10.15 Beta […]

[…] Security & Privacy in macOS 10.15 Beta […]

[…] Security & Privacy in macOS 10.15 Beta […]

[…] Security & Privacy in macOS 10.15 Beta […]

[…] Security & Privacy in macOS 10.15 Beta […]

Stay up-to-date by subscribing to the Comments RSS Feed for this post.

Leave a Comment