Hackers Used ‘Mind-Blowing’ Bug to Sneak Past macOS Safeguards

With macOS malware on the rise, Apple has been busy in recent years adding layers of protections that make it a lot more difficult for malicious software to run on Macs. But a vulnerability in the operating system, publicly disclosed and patched today, was exploited to bypass all of them. 

Security researcher Cedric Owens discovered the bug in mid-March while looking for ways around macOS defenses. Apple’s Gatekeeper mechanism requires developers to register with Apple and pay a fee so their software will be able to run on Macs. And the company’s software notarization process mandates that all applications go through an automated vetting process. The logic flaw Owens found lay not in those systems but rather in macOS itself. Attackers could craft their malware strategically to trick the operating system into letting it run even if it failed key safety checks along the way.

“With all of the security improvements Apple has made in the past few years I was pretty surprised that this simple technique worked,” Owens says, “So I immediately reported this to Apple given the potential for real world attackers to use this technique to bypass Gatekeeper. There are multiple use cases for how this bug could be abused.”

get more information
get redirected here
get the facts
go
go here
go now
go right here
go to the website
go to these guys
go to this site
go to this web-site
go to this website
go to website
go!!
going here
good
great post to read
great site
had me going
have a peek at these guys
have a peek at this site
have a peek at this web-site
have a peek at this website
have a peek here
he has a good point
he said
helpful hints
helpful resources
helpful site
her comment is here
her explanation
her latest blog
her response
here
here are the findings
here.
his comment is here
his explanation
his response
home
home page
homepage
hop over to here
hop over to these guys
hop over to this site
hop over to this web-site
hop over to this website
how much is yours worth?
how you can help
i loved this
i thought about this
i was reading this
image source
in the know
index
informative post
inquiry
internet
investigate this sitekiller deal
knowing it
learn here
learn more
learn more here
learn the facts here now
learn this here now
like it
like this
link
[link]
linked here
listen to this podcast
look at here
look at here now
look at more info
look at these guys
look at this
look at this now
look at this site
look at this web-site
look at this website

The flaw is akin to a front entrance that’s barred and bolted effectively, but with a cat door at the bottom that you can easily toss a bomb through. Apple mistakenly assumed that applications will always have certain specific attributes. Owens discovered that if he made an application that was really just a script—code that tells another program what do rather than doing it itself—and didn’t include a standard application metadata file called “info.plist,” he could silently run the app on any Mac. The operating system wouldn’t even give its most basic prompt: “This is an application downloaded from the Internet. Are you sure you want to open it?”

Owens reported the bug to Apple and also shared his findings with longtime macOS security researcher Patrick Wardle, who conducted deeper analysis into why macOS had dropped the ball.

“The operating system correctly says, ‘Wait a minute, this is from the internet, I’m going to quarantine this and I’m going to do all my checks,’” Wardle says. First, macOS checks to see if the app has been notarized, which in this case it hasn’t. But then it follows up to see if the software is an application bundle; when it sees there’s no ‘info.plist’ file, macOS wrongly determines that it’s not an app, ignores any other evidence to the contrary, and lets it run without any caution to the user. “It just says ‘OK, cool’ and will run anything,” Wardle says. “It’s kind of bonkers!”

After gaining a deeper understanding of how the bug worked, Wardle reached out to the Apple-focused device management firm Jamf to see if the company’s Protect antivirus product had flagged any script-based malware that fit the criteria. In fact, Jamf had flagged a version of the Shlayer adware that was actively exploiting the bug.

The Gatekeeper feature on macOS, launched in 2012, prompts users with a warning asking if they’re sure they want to run applications downloaded outside the Mac App Store. Over the years, though, attackers have been able to trick enough victims into agreeing that they could still distribute their malware widely. But Apple’s notarization requirements, which went into effect in February 2020, have made it significantly harder for malware actors to target Macs. If a user tries to run software that isn’t notarized, macOS will reject the app altogether. That represents a big problem for cybercriminals, particularly adware peddlers, who rely on a broad victim base to generate revenue.

The group that develops Shlayer has aggressively sought workarounds, and has had some success tricking Apple into notarizing its malware. A bug that allows you to bypass the notarization requirement completely, though, would obviously be preferable—especially if it came with the bonus of not needing to trick users into agreeing to run the malware at all.

Leave a Reply

Your email address will not be published. Required fields are marked *