An Apple Malware-Flagging Tool Is 'Trivially' Easy To Bypass (wired.com) 9
One of the Mac's built-in malware detection tools may not be working quite as well as you think. From a report: At the Defcon hacker conference in Las Vegas, longtime Mac security researcher Patrick Wardle presented findings today about vulnerabilities in Apple's macOS Background Task Management mechanism, which could be exploited to bypass and, therefore, defeat the company's recently added monitoring tool. There's no foolproof method for catching malware on computers with perfect accuracy because, at their core, malicious programs are just software, like your web browser or chat app. It can be difficult to tell the legitimate programs from the transgressors. So operating system makers like Microsoft and Apple, as well as third-party security companies, are always working to develop new detection mechanisms and tools that can spot potentially malicious software behavior in new ways.
Apple's Background Task Management tool focuses on watching for software "persistence." Malware can be designed to be ephemeral and operate only briefly on a device or until the computer restarts. But it can also be built to establish itself more deeply and "persist" on a target even when the computer is shut down and rebooted. Lots of legitimate software needs persistence so all of your apps and data and preferences will show up as you left them every time you turn on your device. But if software establishes persistence unexpectedly or out of the blue, it could be a sign of something malicious. With this in mind, Apple added Background Task Manager in macOS Ventura, which launched in October 2022, to send notifications both directly to users and to any third-party security tools running on a system if a "persistence event" occurs. This way, if you know you just downloaded and installed a new application, you can disregard the message. But if you didn't, you can investigate the possibility that you've been compromised.
Apple's Background Task Management tool focuses on watching for software "persistence." Malware can be designed to be ephemeral and operate only briefly on a device or until the computer restarts. But it can also be built to establish itself more deeply and "persist" on a target even when the computer is shut down and rebooted. Lots of legitimate software needs persistence so all of your apps and data and preferences will show up as you left them every time you turn on your device. But if software establishes persistence unexpectedly or out of the blue, it could be a sign of something malicious. With this in mind, Apple added Background Task Manager in macOS Ventura, which launched in October 2022, to send notifications both directly to users and to any third-party security tools running on a system if a "persistence event" occurs. This way, if you know you just downloaded and installed a new application, you can disregard the message. But if you didn't, you can investigate the possibility that you've been compromised.
safe if only using apple apps? (Score:1)
since every mac comes with apples office pack, audio/video editing, mail, calendar, videoconferencing and a relatively secure browser needed for basic work, it seems to make them secure from this problem if nothing else is ever installed :)
Re: safe if only using apple apps? (Score:1, Troll)
Apple is malware. Downvote away.
non-apple software? (Score:3)
Data theft seems more liike a feature of my iphone (Score:3)
https://www.apple.com/newsroom... [apple.com]
Did Apple start telling users that the phones weren't secure? No, while they were in court arguing that NSO software had breached their security and it was hurting their users, they were continuing to tell users to put their data on the phones.
Am I surprised that Apple isn't really committed to stopping malware on their platforms? Nope, it seems to be their profit-center.
RTFA, actual meat (Score:2)
More concerning is that Wardle also found two paths that don't require root access to disable the persistence notifications Background Task Manager is supposed to send to the user and to security monitoring products.
Re: (Score:2)
I was going to criticize the absence of info in TFS; but the article itself doesn't says hardly anything about what Wordle I mean Wardle found. The parent post's single sentence is pretty much all there is.
I assume the actual presentation had at least a little detail.
Bar for entry (Score:3)
Security exists in layers specifically because we can't count on any one to stop everything.
A lot of what Apple and Microsoft are doing is increasing the bar for entry for new malware to be effective. Malware authors need to string together longer and longer chains of exploits to have an impact that would have been trivial in previous years. In the case of this exploit, a malware author looking to exploit it would have had to jump through the umpteen layers of security that come before it, including the XProtect system that distributes malware fingerprints on a daily basis, Gatekeeper's default settings that disallow apps from outside the Mac App Store, Gatekeeper's additional protection against running apps from unregistered developers unless the user consents to do so, drive-by-download protections in most browsers, bypassing permission restrictions on adding an app to the launch items, and so on. All of which are possible, of course, but having all of those exploits in your hand at the same time is a high bar for entry.
it isn't good that this exploit exists and Apple absolutely needs to address it, but I'm glad that the layered approach to security we've built up over the decades means that exploits like these don't immediately result in the worms of yesteryear spreading like wildfire. Those are thankfully far less common and less likely today than they were at the turn of the century.
Potentially malicious software (Score:1)
Easy (Score:2)
Apple is the absolute easiest shit to hack and infect. Their security is garbage at every level. Apple doesn't give a shit about its customers and never has.