Mac Operating Systems Vulnerable to New Security Exploit

A recently discovered security vulnerability could leave Mac users exposed to malware disguising itself in other programs. If your business relies on Mac, it’s important to know how you can protect your company from falling victim to a cyberattack.

What is the Security Vulnerability?

In early 2019, security expert Filippo Cavallarin discovered a bug in Apple’s Gatekeeper functionality. Gatekeeper is a service that inspects apps that you want to install on a device to ensure they are certified by Apple. If not, you’ll get an “are you sure?” message before you complete the installation.

Cavallarin discovered that there’s a flaw that lets untrustworthy apps trick Gatekeeper into giving the all-clear signal, meaning you never get that “do you really want to do this?” alert.

Instead, once bypassed, you will get a simple, “please download” message, which could contain a zip file that once unpacked, connects back to the hackers’ server.

Cavallarin gave Apple 90 days to repair the flaw, but Apple did not, leading the researcher to disclose the exploit himself in late May. The vulnerability affects all macOS versions. As of this posting, Apple has yet to address the vulnerability.

How Can the Vulnerability Be Exploited?

In late June, cybersecurity companies began noticing the first identified attempts to bypass the Gatekeeper function, now dubbed OSX/Linker. The first identified attempts were believed to be a test to see if the flaw can truly be exploited and worked by writing something to a text file on a compromised computer. Those test runs were signed with certificates used by known adware producers behind the OSX/Surfbuyer malware.

At present, it does not appear that the OSX/Linker malware has taken root outside of test environments.

The identified malware attempts also used a common technique used by malware writers. In a second strain discovered, the malware was disguised to look like Adobe Flash Player installers, a tried and true approach that tricks Apple users into downloading malware when they think they’re downloading a routine software update.

The second strain of malware, dubbed OSX/CrescentCore, checks to see if there’s evidence of common third-party anti-malware software and tools that reverse engineer code on a computer. It also checks to see if it’s being installed on a virtual machine. If so, it will not install itself. Researchers have already found OSX/CrescentCore on multiple websites. It’s also disguised as an Adobe Flash Player installer.

CrescentCore also appeared via high-ranking Google search result listings, which redirected multiple times to a suspicious website.

Once installed, OSX/CrescentCore installs a LaunchAgent folder in a Mac Library folder that includes code to be run every time a user logs in.

It appears the malware coders got access to an Apple Developer ID to deliver the sample code in some instances.

Another identified exploit, called OSX/NewTab, inserts new tabs into a Safari browser session. The injected tabs can contain loaders or malware packages.

One danger of this potential malware is that the embedded code on disk images points to a malicious app on a single linked server. That means that a malicious app could be distributed more easily at any time.

Aren’t Apple Computers Virus-Proof and Much Safer than Windows and Other Operating Systems?

It’s a longstanding myth that Macs are inherently safer than Windows PCs. In recent years, hackers have increasingly targeted Apple operating systems to exploit vulnerabilities.

In February 2018, for example, OSX/Shlayer was discovered, yet another Adobe Flash Player scam that would download additional adware and malware. Similar to the newly discovered threats, it also looked for installed anti-malware software. The year also brought the discovery of OSX/MaMi, which pointed an infected computer to a server allowing them to access websites, even those with encrypted traffic.

June 2018 was an active month for malware discovery. There were several types of malware that exploited a Firefox browser vulnerability. A cryptocurrency miner was discovered embedded in pirated copies of audio software, making it possible to take over a Mac’s processing capabilities to mine.

What Can My Business Do To Protect Our Systems?

There are several security steps to take if there are Apple operating systems in play on any devices connected to your business network.

1. Stick to What You Know and Trust
   Make sure you stick to apps you know are certified by Apple or are from highly trusted sources. Be suspicious about any apps that are downloaded from an unrecognized source, too.
2. Scan Your System
   Make sure that your anti-virus programs have added the OSX/Linker vulnerability to their detection registries. Many commercial and free anti-virus apps and tools have already added the vulnerability to their known threat lists.
3. Don’t Install Adobe Flash Player
   It’s really not necessary or helpful to install Flash at this point, as Adobe is discontinuing the product and will stop releasing security updates after 2020.
4. Partner for Security
   No matter what operating systems your organization uses, you need comprehensive network and data security. Partnering with a valued managed IT services company gives you the security and confidence that hardware and software are protected and monitored constantly. With next-generation firewalls and best-in-class anti-malware protection, you can keep hacker threats contained and minimized.