- #OBJECTIVE SEES BLOCKBLOCK ACCIDENTALLY BLOCKED SOMETHING FULL#
- #OBJECTIVE SEES BLOCKBLOCK ACCIDENTALLY BLOCKED SOMETHING SOFTWARE#
- #OBJECTIVE SEES BLOCKBLOCK ACCIDENTALLY BLOCKED SOMETHING MAC#
Regardless of who’s at fault (or not), Apple seems to feel personally attacked.
#OBJECTIVE SEES BLOCKBLOCK ACCIDENTALLY BLOCKED SOMETHING SOFTWARE#
For example, in a supply chain attack, where a legitimate software distribution website is hacked and legitimate products are trojanized, it’s unreasonable to blame any user who inadvertently downloads and runs such software. pirated applications) we collectively shake our heads and wonder “ well, what did you expect!?”, however other infection vectors are far more surreptitious and arguably the user is not at fault in any way. Yes, when the user falls for some of these infection vectors (e.g. (See: “ Mysterious Silver Sparrow Malware Found Nesting on 30K Macs”).Īnd how do malware authors convince such users to infect themselves? Ah, in a myriad of creative, wily, and surreptitious ways such as:Įxample(s): OSX.InstallCore, and countless other adware.Įxample(s): OSX.Shlayer, OSX.SilverSparrow, etc.Įxample(s): OSX.iWorm, OSX.BirdMiner, etc.Įxample(s): OSX.Shlayer, OSX.Siggen, etc.Įxample(s): OSX.LaoShu, OSX.Janicab, etc.Įxample(s): OSX.Proton, OSX.KeRanger, etc. In fact, the recently discovered Silver Sparrow malware, successfully infected over 30,000 Macs in a matter of weeks, even though such infections did require such user interactions. And while such infections, yes, do require user interaction, they are still massively successful.
#OBJECTIVE SEES BLOCKBLOCK ACCIDENTALLY BLOCKED SOMETHING MAC#
The majority of Mac malware infections are a result of users (naively, or mistakenly) running something they should not. Here, we'll also discuss a novel idea aimed at detecting previous attacks that exploited this flaw, and provide a simple Python script, scan.py, to automate such detection!
#OBJECTIVE SEES BLOCKBLOCK ACCIDENTALLY BLOCKED SOMETHING FULL#
And good news, once patched macOS users should regain full protection.įinally, we'll wrap things up with a brief discussion on protections, most notably highlighting the fact that BlockBlock already provided sufficient protection against this 0day. Next, after reverse-engineering Apple's 11.3 update, we describe how Cupertino addressed this flaw. In this section of the post, we briefly discuss this worrisome finding. Unfortunately a subversive malware installer is already exploiting this flaw in the wild, as a 0day.
Such misclassified apps, even if unsigned (and unnotarized), will be allowed to run uninhibited. In this section, we'll detail the flaw which ultimately results in the misclassification of quarantined items, such as malicious applications. The core of the blog post digs deep into the bowels of macOS to uncover the root cause of the bug.
It is important to understand these core macOS security mechanisms, as they are the very mechanisms the bug trivially and wholly bypasses. We begin the post with a discussion of common (user-assisted) infection vectors and highlight security mechanisms that Apple has introduced to keep users safe. There’s a rather massive amount of information presented in this blog post, so let’s break down what we’re going to cover: However, as the underlying cause of the bug remained unknown, our blog post focuses on uncovering the reason …ultimately discovering a flaw that lay deep within macOS’s policy subsystem(s). He’s posted a must read, that provides step by step details on how this bug may be practically leveraged to surreptitiously deliver payloads in red team exercises: "macOS Gatekeeper Bypass (2021) Addition". Epic find Cedric! 🤩Ĭedric notes the bug manifested while building red team payloads via the appify developer tool. The security researcher Cedric Owens uncovered the flaw and initially reported the bug to Cupertino. Apple patched the bug as CVE-2021-30657, noting "a malicious application may bypass Gatekeeper checks"
0 kommentar(er)
