“The malware we uncovered using this technique is an updated version of Shlayer, a family of malware that was first discovered in 2018.
Jamf also published a technical blog post about the malware. Jamf detections lead Jaron Bradley confirmed that a sample of the Shlayer malware family exploiting the bug was captured in early January, several months prior to Owens’ discovery. With knowledge of how the bug works, Wardle asked Mac security company Jamf to see if there was any evidence that the bug had been exploited prior to Owens’ discovery.
READ APPLE ERROR REPORT FOR OS X UPDATE
“The update will now result in the correct classification of applications as bundles and ensure that untrusted, unnotarized applications will (yet again) be blocked, and thus the user protected,” he told TechCrunch. Wardle described the bug as rendering macOS’ security features as “wholly moot.” He confirmed that Apple’s security updates have fixed the bug.
READ APPLE ERROR REPORT FOR OS X CODE
But Owens found that taking out this property file and building the bundle with a particular structure could trick macOS into opening the bundle - and running the code inside - without triggering any warnings. In simple terms, macOS apps aren’t a single file but a bundle of different files that the app needs to work, including a property list file that tells the application where the files it depends on are located. The bug meant that macOS was misclassifying certain app bundles and skipping security checks, allowing Owens’ proof-of-concept app to run unimpeded. In a technical blog post today, Wardle explained that the vulnerability triggers due to a logic bug in macOS’ underlying code. Owens asked Mac security researcher Patrick Wardle to investigate how - and why - the bug works. Apple also patched earlier macOS versions to prevent abuse, and pushed out updated rules to XProtect, macOS’ in-built anti-malware engine, to block malware from exploiting the vulnerability.
(Image: supplied)įearing the potential for attackers to abuse this vulnerability, Owens reported the bug to Apple.Īpple told TechCrunch it fixed the bug in macOS 11.3. The proof-of-concept app disguised as a harmless document running on an unpatched macOS machine.
0 kommentar(er)
