Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Desktops (Apple) Security Apple IT Technology

An Apple Malware-Flagging Tool Is 'Trivially' Easy To Bypass (wired.com) 9

One of the Mac's built-in malware detection tools may not be working quite as well as you think. From a report: At the Defcon hacker conference in Las Vegas, longtime Mac security researcher Patrick Wardle presented findings today about vulnerabilities in Apple's macOS Background Task Management mechanism, which could be exploited to bypass and, therefore, defeat the company's recently added monitoring tool. There's no foolproof method for catching malware on computers with perfect accuracy because, at their core, malicious programs are just software, like your web browser or chat app. It can be difficult to tell the legitimate programs from the transgressors. So operating system makers like Microsoft and Apple, as well as third-party security companies, are always working to develop new detection mechanisms and tools that can spot potentially malicious software behavior in new ways.

Apple's Background Task Management tool focuses on watching for software "persistence." Malware can be designed to be ephemeral and operate only briefly on a device or until the computer restarts. But it can also be built to establish itself more deeply and "persist" on a target even when the computer is shut down and rebooted. Lots of legitimate software needs persistence so all of your apps and data and preferences will show up as you left them every time you turn on your device. But if software establishes persistence unexpectedly or out of the blue, it could be a sign of something malicious. With this in mind, Apple added Background Task Manager in macOS Ventura, which launched in October 2022, to send notifications both directly to users and to any third-party security tools running on a system if a "persistence event" occurs. This way, if you know you just downloaded and installed a new application, you can disregard the message. But if you didn't, you can investigate the possibility that you've been compromised.

This discussion has been archived. No new comments can be posted.

An Apple Malware-Flagging Tool Is 'Trivially' Easy To Bypass

Comments Filter:
  • since every mac comes with apples office pack, audio/video editing, mail, calendar, videoconferencing and a relatively secure browser needed for basic work, it seems to make them secure from this problem if nothing else is ever installed :)

  • by LeadGeek ( 3018497 ) on Monday August 14, 2023 @10:18AM (#63766160)
    I've always suspected Apple had a long-term goal of making it impossible to run any 3rd party software on "their" hardware.
  • Data theft seems more like a feature of my iphone than a bug. Researchers believe organizations like the NSO Group have had no-click iphone exploits as far back as 2014 ( https://www.businessinsider.co... [businessinsider.com] ). And in 2021 Apple sued them to "To prevent further abuse and harm to its users". Well how did that lawsuit go?

    https://www.apple.com/newsroom... [apple.com]

    Did Apple start telling users that the phones weren't secure? No, while they were in court arguing that NSO software had breached their security and it was hurting their users, they were continuing to tell users to put their data on the phones.

    Am I surprised that Apple isn't really committed to stopping malware on their platforms? Nope, it seems to be their profit-center.
  • More concerning is that Wardle also found two paths that don't require root access to disable the persistence notifications Background Task Manager is supposed to send to the user and to security monitoring products.

    • I was going to criticize the absence of info in TFS; but the article itself doesn't says hardly anything about what Wordle I mean Wardle found. The parent post's single sentence is pretty much all there is.

      I assume the actual presentation had at least a little detail.

  • by Anubis IV ( 1279820 ) on Monday August 14, 2023 @12:36PM (#63766536)

    Security exists in layers specifically because we can't count on any one to stop everything.

    A lot of what Apple and Microsoft are doing is increasing the bar for entry for new malware to be effective. Malware authors need to string together longer and longer chains of exploits to have an impact that would have been trivial in previous years. In the case of this exploit, a malware author looking to exploit it would have had to jump through the umpteen layers of security that come before it, including the XProtect system that distributes malware fingerprints on a daily basis, Gatekeeper's default settings that disallow apps from outside the Mac App Store, Gatekeeper's additional protection against running apps from unregistered developers unless the user consents to do so, drive-by-download protections in most browsers, bypassing permission restrictions on adding an app to the launch items, and so on. All of which are possible, of course, but having all of those exploits in your hand at the same time is a high bar for entry.

    it isn't good that this exploit exists and Apple absolutely needs to address it, but I'm glad that the layered approach to security we've built up over the decades means that exploits like these don't immediately result in the worms of yesteryear spreading like wildfire. Those are thankfully far less common and less likely today than they were at the turn of the century.

  • I thought Apple didn't suffer from that click-and-install innovation that other Desktop OS suffered from.
  • Apple is the absolute easiest shit to hack and infect. Their security is garbage at every level. Apple doesn't give a shit about its customers and never has.

The 11 is for people with the pride of a 10 and the pocketbook of an 8. -- R.B. Greenberg [referring to PDPs?]

Working...