The Background Task Manager in macOS Ventura isn't as effective as it could be, as a security researcher claims it can be easily bypassed.
Apple introduced the Background Task Manager as part of macOS Ventura in October 2022. The intention of the tool is to warn users and other apps that a new persistent entity has started up, potentially helping to thwart malware.
However, a Defcon presentation reveals that the system is useful in theory yet easily bypassed by malware. Patrick Wardle outlined how the feature could be bypassed by a malicious app, making it harder for users to spot malware that keeps running in the background.
"There should be a tool [that notifies you] when something persistently installs itself, it's a good thing for Apple to have added," Wardle said at Defcon, according to Wired. "but the implementation was done so poorly that any malware that's somewhat sophisticated can trivially bypass the monitoring."
Having previously offered BlockBlock as a persistence event notifying tool, Wardle says he knows the challenges of such a feature, and had wondered "if Apple's tools and frameworks would have the same issues to work through" as his version. It turns out they do, and that consequently, "malware can still persist in a manner that is completely invisible."
Notifying Apple
Wardle did find some initial basic issues that he reported back to Apple, and they did get fixed. However Apple seemingly didn't delve deeper into the issues.
"We went back and forth, and eventually, they fixed that issue, but it was like putting some tape on an airplane as it's crashing," Wardle summarized. "They didn't realize that the feature needed a lot of work."
Among the bypasses, Wardle discovered two ways that don't require root access to perform, including a bug in the way the system communicates with the kernel. Another relies on the ability for users to put processes to sleep, which can be abused to disrupt notifications.
A third was one that required root access to perform, but Wardle insists the bug needs attention as it's possible for hackers to gain high levels of access, and would be keen to prevent notifications from appearing.
Unlike his earlier warning, Wardle decided against notifying Apple about the presentation, as had previously told the company about issues in the system that could've led to more comprehensive improvements anyway. The lack of disclosure is also not a major issue, as it effectively brings the situation back to where it was a year ago, before its implementation.
Wardle regularly uses his expertise to showcase issues in macOS. For Defcon 2022, he shared an issue in Zoom on macOS. m
2 Comments
I wonder if Apple's attitude here is being affected by the rule they reportedly have about older bugs, where they only apply resources to fixing "new" issues - if a bug falls far enough down the priority list it will effectively never get fixed.
I'm glad Patrick and other security researchers keep investigating; hopefully the increased attention will help shift Apple's priorities. I like to think that Apple's decision to keep this system in its current imperfect state is an unusual occurrence, but it's a sign of quality standards being lowered and I fear that it's an ongoing trend.
Patrick Wardle
is very clever and writes very clearly.