WITH THE INCREASE IN MACOS MALWARE, APPLE HAS BEEN WORKING HARD in recent years to introduce layers of security that make it much more difficult for malicious software to run on Macs. However, both of them were bypassed thanks to a flaw in the operating system that was publicly revealed and fixed today.
Cedric Owens, a security researcher, found the flaw in mid-March while searching for ways to get around macOS's defences. Apple's Gatekeeper system allows developers to register and pay a fee in order for their apps to run on Macs. All applications must also go through an automated vetting process as part of the company's software notarization process.
Owens discovered a logic error in macOS itself, not in those systems. Attackers could design malware in such a way that it fooled the operating system into allowing it to run even though it failed all of the system's safety checks.
"With all of Apple's security enhancements over the last few years, I was shocked that this simple technique worked," Owens says. "I immediately reported this to Apple given the potential for real-world attackers to use this technique to circumvent Gatekeeper." There are several ways in which this bug may be exploited.”
The weakness is similar to a front door that is essentially barred and locked, but has a cat door at the bottom through which you can easily throw a bomb. Apple made the mistake of assuming that applications would always have those characteristics. Owens found that if he created an app that was actually just a script—code that tells another programme what to do instead of doing it—and didn't have a regular application metadata file called "info.plist," he could run it quietly on any Mac. The operating system refused to even acknowledge the most simple prompt: "This is an application that was downloaded from the Internet." "Are you sure you want to open it?" says the narrator.
Owens reported the bug to Apple and shared his results with Patrick Wardle, a long-time macOS security researcher who dug deeper into why macOS had failed.
“The operating system is right in saying, ‘Wait a minute, this is from the internet, I'm going to quarantine this and run all my checks,'” says the author. Wardle explains. MacOS first checks to see if the app has been notarized, which it hasn't in this situation. But then it checks to see if the programme is an application bundle; if it doesn't find a "info.plist" file, macOS incorrectly assumes it isn't an app, disregards all other facts to the contrary, and lets it run without warning to the user.
Wardle explains, "It just says 'Well, fine,' and will run something." “It's a little insane!”
Today, Apple released macOS Big Sur 11.3, which includes a fix for the bug. The bug allowed malware to bypass the notarization requirement and the Gatekeeper user alert overlay, according to a spokesperson. Apple also modified its XProtect device monitoring tool to detect and warn about any programme that could be trying to exploit the bug, in addition to addressing the logic problem in macOS. This means that even older versions of macOS are automatically protected.
Although the bug was easy and the result of an understandable technical mistake, the researchers stress that it demonstrates the vulnerability of even the most stringent anti-malware defences. And the blunder highlights the importance of conducting thorough and comprehensive code quality audits.
“This isn't to suggest that every operating system won't have flaws—they always will,” says the author "Wardle explains. “However, this completely undermines many of macOS' central, fundamental components. This is a mind-boggling omission."
0 Comments
If you have any queries, please let me know.