RSA 2022: All Your Macs Belong to Us…. Again!

One of the selling points of the macOS is that it was far less prone to cyberattacks than Windows-based systems. That may have been true several years ago. No longer.  Cyberattacks are now an equal opportunity threat.

Indeed, during his RSA session, Objective-See Founder, Patrick Wardle argued the case that recent macOS infections have set back Apple’s security infrastructure over a decade. His message to attendees: the sooner users and developers understand the threats poised against the operating system, the more likely they’ll put necessary protections in place.  As with all threats, education is everything.

In some respects, Apple is simply the victim of its own stunning success. As Macs become more prevalent in the enterprise, the number or threats targeting Macs have grown to the point where Wardle put them on a par with the number attacks aimed at Windows-based machines.  

As attacks against the macOS increased, Apple put in place various measures. In 2008, the company launched File Quarantine, which automatically alerts users that the item they’re about to run originated online — A decent start, Wardle said, but ultimately benign. Users, after all, commonly chose “yes” to execute without taking the threat seriously. Gatekeeper, introduced in 2012, and Notarization in 2019, both improved the process but only to a point.

As Broadcom Software cautioned back in 2021, while Gatekeeper and Software Notarization make it challenging for malicious actors to get malware installed on a Mac, malware authors have always recognized security is only as strong as its weakest link; and that weak link is human. 

Gatekeeper intercepted online downloads it detected were unsigned, while Notarization forces developers to submit all applications to Apple so it can either approve or refuse entry. To Wardle, Notarization proved it was “a strong step in the right direction.”

But not strong enough. Despite those measures, two separate developers discovered two different bugs that, over the last decade, have successfully bypassed all security measures Apple painstakingly put in place. These vulnerabilities have allowed unsigned apps to bypass all patches and foundational security mechanisms represented by File Quarantine, Gatekeeper, and Notarization.

During his presentation, Wardle demonstrated how user assistance is the primary driver of macOS infections. Users are tricked into believing the sites they visit or the content they download is legitimate. According to research, the volume of threats targeting macOS is either higher or equal to those against Windows, which has raised alarms in the world of Apple only recently.

The bad news is that these two bugs got through the gates, there are likely more on the way. The good news is that both problematic bugs are shallow and not difficult to destroy. Both were discovered, not by complicated reverse engineering efforts, but accidentally by developers who noticed protective information missing from certain scripting. They, said Wardle, are “powerful logic bugs” — simple to craft and to deploy, but just as simple to discover and contain.

Users who don’t want to wait for the fourth security platform from Apple can take three separate actions to make sure their macOS is protected.

First, install all patches as soon as they are out. Apple is known for doing the right thing and creating patches for its security flaws. Don’t wait. Make sure all patches are activated, especially if your system contains sensitive files or data.

Secondly, install a Mac-centric Endpoint Detection and Response (EDR) product that is tasked to continuously monitor all your devices, from your laptop to your desktop to your iPad, to automatically detect and respond to ransomware and malware.

Finally, continue to learn about macOS threats. The cat-and-mouse game between bad parties and end users is not ending anytime soon. Keeping yourself notified of all current bugs will put you one step ahead of protecting your system.

To learn more on how Broadcom Software can help you modernize, optimize and protect your enterprise, contact us here.