2023-08-14 15:21:30
Apple introduced, with the macOS Ventura 13one background task manager which makes it possible to see and grant permissions for apps to perform tasks when they are not open — a relevant function, but one that can be circumvented.
This happens because, in the conference DEF CON 2023the security researcher Patrick Wardle spoke about vulnerabilities in this mechanism that can be exploited to circumvent it and thus allow malware to execute controls without the user knowing.
3️⃣ “Demystifying (& Bypassing) macOS’s Background Task Management”
Apple’s BTM, seeks to centralize (& govern) persistent tasks.
We’ll dive into its internals, demo new tools that leverage BTM to detect persistent malware, & use 0days to bypass both its alerts & ES messages ???? pic.twitter.com/gBEMigTZri
— Patrick Wardle (@patrickwardle) August 7, 2023
Among the vulnerabilities, Wardle discovered two methods that do not require access root to work, including one in how the system communicates with the kernel. A third method requires access root to run — which needs attention, as it is possible for attackers to gain “high levels of access” by preventing macOS alerts from appearing.
In that sense, the researcher pointed out that there should be a tool that notifies the user when something is installed on the Mac; however, the mechanism’s current implementation was, in his words, “so poorly done that any rather sophisticated malware can trivially bypass monitoring” the system.
The researcher even reported some early engine issues to Apple and they were fixed. However, the company apparently did not delve into the problems.
We went back and forth and eventually they fixed the problem, but it was like putting duct tape on a plane as it’s falling. They didn’t realize that the feature needs a lot of work.
Wardle said he chose to announce these bugs at DEF CON without first notifying Apple because he had already notified the company of the earlier flaws — which could have led to improving the overall quality of the tool more broadly.
He also added that ignoring this monitoring simply brings the security state of macOS back to what it was a year ago, before the background task manager was released, so the mechanism “gives users and developers a false sense of security”.
wanted by WIREDwhich first covered Wardle’s findings, Apple has yet to provide an official statement on the researcher’s considerations.
1692036097
#Malware #Bypass #macOS #Background #Task #Manager