What new security features macOS 13 brings?

The first beta of macOS 13 has been released, and I’ve noticed some exciting new features that are great for security-conscious people. 

USB devices can be allowed or disallowed

On portable Mac computers with Apple Silicon, new USB and Thunderbolt accessories require user approval before the accessory can communicate with macOS for connections wired directly to the USB-C port. This doesn’t apply to power adapters, standalone displays, or connections to an approved hub. Devices can still charge if you choose Don’t Allow.

You can change the security configuration in System Settings > Security and Privacy > Security. The initial configuration is Ask for new accessories. Configuring an accessibility Switch Control sets the policy to always allow accessory use. Approved devices can connect to a locked Mac for up to three days.

https://developer.apple.com/documentation/macos-release-notes/macos-13-release-notes#:~:text=Release%20Notes.-,Accessory%20Security,-New%20Features

This is great because there were (are?) exploits that can read computer memory directly from Thunderbolt. Theoretically, someone could just dump your entire memory just by plugging the USB stick.

Not to mention the standard copy file to a USB drive while you are not looking. I would only wish that it was also supported on Mac Mini because it too can be vulnerable in public settings. 

List of all launch helpers

Launching an app on macOS when the user logs in is a complicated thing. There are two ways. A third-party app can instruct the user to drop the app into “Login items”, but most users don’t like to bother. So the app developers baked “autostart” as a custom application helper that essentially bootstraps the app, in most cases when you enable “Launch at login” you are actually installing a helper that can outlive the app.  

When you remove the app the custom application helper usually stays installed so in theory malicious helper can still do things after the app was removed. One such example was Zoom which had a vulnerability that allowed random installations even after the Zoom itself was removed.

New Privacy & Security

The biggest change you will notice is the System Settings app, and the Privacy & Security is also revamped. It now contains a list of all app and access permissions. A lot of the checks will now refer to this section, but we haven’t updated the docs yet, as we expect some more changes.

Rapid Security Response

Get important security improvements to your devices even faster. This isn’t a standard software update. These improvements can be applied automatically between normal updates — without a restart.

https://www.apple.com/macos/macos-ventura-preview/features/#:~:text=Rapid%20Security%20Response

It uses an already established mechanism for pushing changes directly from Apple as it was available in a previous version of macOS. What is new is that it kinda creates App and system stubs in /System/Volumes/Preboot/Cryptexes/, which get replaced with patched/new version, without one rebooting the mac, simply restarting the application is enough, there is new process that is responsible for this called cryptex (CRYPTographically-sealed EXtension).

Currently only Safari and Passwords are patched on the fly, but it can be used for any app Apple would wish to. The second functionality is system patching where it now patches WebKit, Core Services, and Authentication Services among others.

The patching functionality also supports pre-releases so someone with the correct profile can get releases before everyone else.

What about the Pareto Security app?

The latest release of Pareto Security added support for macOS 13, so you can now use it without issues. We will also be adding new checks for the above mentioned USB devices and leftover app helpers.

Janez Troha

Janez is the lead developer on Pareto Security.

See other posts »

See code on GitHub