The hackers used the ‘Mind-Blowing’ bug to hide past macOS protections
[ad_1]
With MacOS malware upwardsApple has been busy adding malicious software that makes it much more difficult to run malicious software on Macs in recent years. But a vulnerability in the operating system, now publicly spread and patched, was used to prevent them all.
Security researcher Cedric Owens found the bug in mid-March while looking for ways to macOS defenses. Apple Goalkeeper the devices require developers to register with Apple and pay a fee so that their software can run on Macs. And the company’s software notarization process mandates that all applications must perform an automated review process. Owens found that the logical flaw was not in those systems, but in macOS. Attackers can strategically create their own malware to trick the operating system into failing to secure all security controls along the way.
“I was pretty impressed with all the security improvements that Apple has made in recent years because this simple technique worked,” says Owens. “So I immediately informed Apple, given the potential of real-world attackers to prevent this technique. Gatekeeper. There are several use cases where this error can be abused.”
The bug is similar to a front entrance, which is effectively linked and tightened, but has a cat door underneath to easily drop a bomb. Apple was wrong to say that apps will always have certain specific attributes. Owens discovered that if he made an application that was really just a script — he tells another program what he does other than what he does — and that he didn’t include standard metadata files for applications called “info.plist,” he could silently run any application. Mac-tan. The operating system would not give its basic recommendation: “It is an application downloaded from the Internet. Are you sure you want to open it?”
Owens reported the error to Apple and shared his findings with longtime macOS security researcher Patrick Wardle, who conducted in-depth analysis of why macOS threw the ball away.
“The operating system says well,‘ Wait a minute, this is coming from the internet, I’m going to quarantine this and do all my controls, ’” Wardle says. First, macOS checks whether the app has been notarized or not, in this case not. But then it tracks whether the software is a bunch of applications; When it sees that there is no ‘info.plist’ file, MacOS incorrectly determines that it is not an application, ignores other evidence to the contrary, and allows the user to run it carelessly. “It’s just saying‘ OK, cool ’and nothing will run,” Wardle says. “They’re bonkers!”
After a thorough understanding of how the bug worked, Wardle turned to Apple-based device management company Jamf to find out if the anti-virus product from Jamf’s company marked a script-based malware that matched the criteria. In fact, Jamf marked the version of the version Shlayer adware that he was actively exploiting the mistake.
The Gatekeeper feature in MacOS, launched in 2012, requires users to be alerted if they want to run downloaded apps outside the Mac App Store. Over the years, however, the attackers have been able to deceive enough victims to agree that they can distribute their malware widely. But Apple’s notarization requirements, which went into effect in February 2020, have made it significantly more difficult for malware actors to target the Mac. If a user tries to run non-notarial software, macOS will completely reject the application. This poses a major problem for cybercriminals, in particular adware vendors, rely on a broad victim base to generate revenue.
The team that develops Shlayer has aggressively sought solutions, and has had them some success deceives Apple to notarize their malware. A bug that allows you to completely avoid the notification requirement, however, would be better, especially if the user is not fooled when they allow the malware to run.
[ad_2]
Source link