A Software Bug Let Malware Bypass macOS' Security Defenses (techcrunch.com) 28
Apple has spent years reinforcing macOS with new security features to make it tougher for malware to break in. But a newly discovered vulnerability broke through most of macOS' newer security protections with a double-click of a malicious app, a feat not meant to be allowed under Apple's watch. From a report: Worse, evidence shows a notorious family of Mac malware has already been exploiting this vulnerability for months before it was subsequently patched by Apple this week. Over the years, Macs have adapted to catch the most common types of malware by putting technical obstacles in their way. macOS flags potentially malicious apps masquerading as documents that have been downloaded from the internet. And if macOS hasn't reviewed the app -- a process Apple calls notarization -- or if it doesn't recognize its developer, the app won't be allowed to run without user intervention.
But security researcher Cedric Owens said the bug he found in mid-March bypasses those checks and allows a malicious app to run. Owens told TechCrunch that the bug allowed him to build a potentially malicious app to look like a harmless document, which when opened bypasses macOS' built-in defenses when opened. "All the user would need to do is double click -- and no macOS prompts or warnings are generated," he told TechCrunch. Owens built a proof-of-concept app disguised as a harmless document that exploits the bug to launch the Calculator app, a way of demonstrating that the bug works without dropping malware. But a malicious attacker could exploit this vulnerability to remotely access a user's sensitive data simply by tricking a victim into opening a spoofed document, he explained.
But security researcher Cedric Owens said the bug he found in mid-March bypasses those checks and allows a malicious app to run. Owens told TechCrunch that the bug allowed him to build a potentially malicious app to look like a harmless document, which when opened bypasses macOS' built-in defenses when opened. "All the user would need to do is double click -- and no macOS prompts or warnings are generated," he told TechCrunch. Owens built a proof-of-concept app disguised as a harmless document that exploits the bug to launch the Calculator app, a way of demonstrating that the bug works without dropping malware. But a malicious attacker could exploit this vulnerability to remotely access a user's sensitive data simply by tricking a victim into opening a spoofed document, he explained.
Discovered in March. And, it was fixed a month lat (Score:5, Informative)
Just update and stop whining.
Re: Discovered in March. And, it was fixed a month (Score:4, Insightful)
Re: (Score:2)
From TFS: "evidence shows a notorious family of Mac malware has already been exploiting this vulnerability for months before it was subsequently patched by Apple this week."
Do you have evidence that this claim is wrong? Or do you posit that it was exploited without being discovered? Or ... maybe it was discovered by bad guys before March.
Re: Discovered in March. And, it was fixed a month (Score:2)
The researcher notified them of the exploit and it was promptly fixed.
We know that hackers and malware often exploit flaws in the software long before they are discovered and reported.
Could they have released a security patch sooner rather than waiting to release 11.3? Maybe.
Re: (Score:2)
What do iOS updates have to do with a macOS bug?
Re: Discovered in March. And, it was fixed a month (Score:2)
Re: (Score:3)
Nothing wrong with Mac security that feeding the offending device to a wood chipper won't solve.
Re: (Score:1)
Re: (Score:3)
Tell that to my mid-2010 iMac that can't even upgrade to Mohave. Oh, what's that? I'm supposed to throw away perfectly good hardware (upgraded to 12 GB RAM aftermarket)?
Put Linux on it. Problem solved. I recommend Elementary OS if you want it to be similar to OS X.
Re: (Score:1)
cough [slashdot.org]
Re: (Score:3)
I've found that older, 2015 or older Macs (before USB3 and the T2 chip) run Ubuntu or even Windows 10 pretty well. It may not be macOS, but the machine isn't ready for the recycler even though Apple stopped supporting it.
Now, M1 Macs... who knows. Hopefully there will be some way to load Linux on those boxes after they lose OS support from Apple.
Re:Discovered in March. And, it was fixed a month (Score:5, Informative)
It appears that this bug was introduced in macOS 10.15 ...thus older versions of macOS do not seem be vulnerable. [objective-see.com]
Just don't update and stop whining. :)
Re: (Score:2)
And get new bugs.
Not unusual (Score:2)
Wait, doesn't pretty much every instance of malware take advantage of a software bug?
Re: (Score:1)
Re: (Score:1, Troll)
True, but Apple told us that macOS was the most secure OS on the planet. I mean, I may be a patch or two behind, but I still think that my Mac is pretty secu{#`%${%&`+'${`%&NO CARRIER
New Story Within the Next Three Years (Score:1, Troll)
Re: (Score:2)
Three problems.
1) Apple allows you to sign applications yourself using an Apple-provided certificate. This automatically bypasses Gatekeeper, and lets companies like Adobe and Microsoft ot sell their software without needing Apple's approval. Mozilla and many other open-source projects al
Re: (Score:2)
How will code be written for Mac then? You can't really write code, do Git commits, do some testing and such on iOS/iPadOS. Apple would have to completely kill Objective C and Swift.
I can see a middle ground. Apps being all signed, but Apple having some sort of hypervisor or protected "world", like ARM's trusted and untrusted worlds, where development happens in a highly sandboxed area, and if one pops up a command line, there is no access to system binaries. Maybe a virtual environment where one can ha
How can a $1,000,000,000,000 let this happen (Score:2)
Re: (Score:2)
Don't worry, I am sure they learned their lesson after letting you become root without password by simply not typing the password.
https://arstechnica.com/inform... [arstechnica.com]
It Just Works (Score:2)
It Just Works, and that includes Mac malware too.
I see an article about Apple security exploit... (Score:2)
...I then check to see if there's a new jailbreak.
Sigh. (Score:2)
There is no utterly secure, mainstream operating system.
Those in general usage, and those aimed at consumers, are demonstrably worse, mainly because of the focus on adding new features and retaining backwards compatibility.
But still, in 2021, thinking MacOS is somehow "special" in regards security is so stupid. It makes you sound like a child.
And, no, Linux, etc. is no different. When you have 10's of millions of lines of code interacting at the lowest possible levels of hardware, you can't be permanently