Focus on source code security, collect the latest information at home and abroad!
Compile: Code Guard
One of the Mac's built-in malware detection tools, "macOS Background Task Management," may not be working as well as we think. At the Defcon hacking conference in San Francisco, veteran Mac security researcher Patrick Wardle shared multiple vulnerabilities in the mechanism that could be used to bypass and defeat Apple's latest addition to monitoring tools.
There is currently no foolproof method of catching malware on a computer with 100 percent accuracy, because malware is essentially just software, like a web browser or a chat application. It is difficult to distinguish legitimate programs from illegal programs, so operating system vendors such as Microsoft and Apple, as well as third-party security companies, have been working hard to develop new detection mechanisms and tools that can identify potential malware behavior in various new ways.
Apple's background task management tool focuses on software "persistence." Malware can be designed to be short-lived and run only briefly on the device or until the computer is restarted. But malware can be built deeper and "persist" on a target even when the computer is turned off and restarted. A lot of legitimate software requires persistence so that all apps, data, and preferences are displayed every time the user turns on the device and leaves the software. But if the software suddenly establishes persistence, it could be a sign of malware.
To this end, in October 2022, Apple added a background task manager to macOS Ventura, which sends notifications directly to users or third-party security tools running on the system when "persistent events" occur. This way, if the user understands that a new app has just been downloaded and installed, the message can be ignored; otherwise, the user can assume that they may have been compromised.
"There should be tools to notify when some software keeps installing itself," Wardle said. "It's good that Apple added that, but it's implemented so poorly that any malware with a bit of sophistication can easily bypass monitoring."
Apple has yet to comment.
As part of the Objective-See Foundation, which provides free and open source macOS security tools, Wardle provided a similar persistent event notification tool BlockBlock many years ago. He mentioned, "Because I've written similar tools, and I knew the challenges of my own tools, I wondered if Apple's tools and frameworks would have the same problems to overcome, and it did. Malware Persistence can still be achieved in a completely invisible way."
When Background Task Manager was first released, Wardle discovered a more fundamental problem in the tool that could cause persistent event notifications to fail. He notified the problems to Apple, which fixed the bugs but failed to identify the deeper problems.
“We had a lot of back and forth, and Apple eventually fixed it, but it was like putting duct tape on a disintegrating plane, and they didn’t realize it was a lot of work,” Wardle said.
One of the bypass methods shared by Wardle requires root access to the target device, which means the attacker needs full control before preventing the user from receiving the persistent warning. Fixing bugs related to this potential attack is important because hackers can sometimes gain this access to a target, potentially blocking notifications in order to install as much malware as possible on the system.
Even more worrisome, Wardle also found two paths that didn't require root access to disable persistent notifications that background task managers were supposed to send to users and security monitoring products. One of the exploits exploits a bug in the way the alerting system communicates with the core of a computer's operating system, the kernel. Another exploit exploits the ability to allow users, even those with deep system privileges, to put processes to sleep. Wardle discovered that this capability could be used to disrupt persistent notifications before the notification reaches the user.
Wardle pointed out that the reason he released these vulnerabilities at Defcon without notifying Apple first is that he had already notified Apple of these issues in order to improve the overall quality of the tool more generally. He also noted that bypassing the monitoring tool puts macOS back to where it was a year ago, before the feature was released. But he said Apple's release of monitoring tools that appear rushed or require more testing is problematic because it gives users and security vendors a false sense of security.
Code Guard Trial Address: https://codesafe.qianxin.com
Open source guard trial address: https://oss.qianxin.com
recommended reading
New Windows?! Apple fixes the exploited new 0day
Apple urgently fixes exploited 0days
Microsoft discovers macOS vulnerability that bypasses Apple's SIP root restrictions
Apple Fixes 3 New 0days That Were Exploited
Original link
https://arstechnica.com/security/2023/08/researcher-finds-easy-exploits-for-apples-malware-flagging-tool/
Title image: Pixabay License
This article was compiled by Qi Anxin and does not represent the views of Qi Anxin. Please indicate "Reprinted from Qi Anxin Code Guard https://codesafe.qianxin.com".
Qi Anxin code guard (codesafe)
The first domestic product line focusing on software development security.
If you feel good, just click "Looking" or "Like"~