macOS is generally believed to be bulletproof against malware attacks. Unfortunately, statistics reveal a different picture where Apple’s operating system is often found vulnerable. For instance, in 2017 security researchers detected an increase of 28.83 percent of total reported security flaws in comparison with 2016. In 2022, Apple has already released a number of emergency patches addressing dangerous zero-day vulnerabilities.
Furthermore, the number of active malware campaigns against Macs is growing. Macs are frequently endangered by potentially unwanted programs such as the numerous variants of the popular AdLoad bundleware family that slow down their overall performance and compromise their privacy. But Macs are also targeted by far more serious malicious campaigns that drop Trojans like OSX.Calisto and worms like Backdoor:OSX/Iworm.
Why is it crucial to pay attention to the vulnerabilities in macOS, and Apple’s software in general? If vulnerabilities have been exposed in any operating system, the system becomes susceptible to malware attacks. macOS is not an exclusion.
What types of vulnerabilities lurk in macOS? Let’s find out…
Code Execution Vulnerabilities
Let’s take code execution vulnerabilities that have been increasing in macOS – they can be triggered remotely and can be used in various malicious scenarios. This type of security flaw is favored by threat actors because it allows them to bypass authentication and run any type of code. This can happen covertly, without the user’s knowledge.
Such a vulnerability was discovered in Xcode for macOS High Sierra in June 2019. Not surprisingly, the flaw could allow for arbitrary code execution, warned CIS security researchers.
What is Xcode? It is an integrated development environment that contains a suite of software development tools created by Apple. In case of exploit, this vulnerability could lead to arbitrary code execution within the application. As a result, the attacker could gain the same privileges as the logged-in user. Security restrictions could also be bypassed easily. Depending on the level of privileges, the attacker could install programs, tamper with data on the device, and create new accounts with full user rights.
A more recent example of remote code execution vulnerabilities include CVE-2022-22674 and CVE-2022-22675 in in iOS and iPadOS 15.4.1, macOS Monterey 12.3.1, tvOS 15.4.1, and watchOS 8.5.1.
Data Theft Vulnerabilities
Security firm F-Secure recently unveiled a dangerous firmware exploit that affected almost all Mac and Windows laptops and desktop computers. This vulnerability could lead to data theft, and even left Macs with FileVault turned on susceptible, TechCrunch reported.
The firmware exploit stemmed from the way almost any Mac or Windows machine overwrite data when they are turned off. The vulnerability was based on the so-called cold boot attack where threat actors could harvest data from a turned-off computer.
The issue was discovered by F-Secure researchers Olle Segerdahl and Pasi Saarinen. Even though the vulnerability required physical access to leverage it, it shouldn’t be overlooked. At the very least, this exploit shows that both Microsoft and Apple’s operating systems have similar problems, despite the widely marketed belief that one is more secure than the other.
MacOS Zero-Day Vulnerabilities
In August, 2018, the well-known security researcher Patrick Wardle uncovered a zero-day in Apple software just by altering a few lines of code. A demonstration during the Defcon conference in Las Vegas showed that this vulnerability can be easily used by threat actors in malware operations. The vulnerability is classified as a shortcoming of the operating system’s design and tracked in the CVE-2017-7150 advisory.
The zero-day is triggered by abusing the user interface via a novel technique that generates “synthetic clicks” emulating user behaviour. This allows threat actors to automatically bypass notification and warning prompts by fooling the system.
Instead of emulating mouse movement itself (which has already been used in previous malware), this technique relies on a feature called mouse keys, which converts keyboard interaction into mouse actions. This is triggered by pressing specific keys on the keyboard which in turn are interpreted by the operating system as mouse presses, and accepted as regular user movements thus passing through security alerts.
Here’s the official description of the vulnerability:
An issue was discovered in certain Apple products. macOS before 10.13 Supplemental Update is affected. The issue involves the “Security” component. It allows attackers to bypass the keychain access prompt, and consequently extract passwords, via a synthetic click.
A more recent example of a zero-day vulnerability is CVE-2022-22675, described as an out-of-bounds write issue in the AppleAVD component. The latter is a kernel extension used for audio and video decoding. The vulnerability could allow apps to execute arbitrary code with kernel privileges.
Multiple security vulnerabilities were reported in Apple macOS a couple of years ago. As explained in the security advisory, “an issue was discovered in certain Apple products. iOS before 11.4 is affected. macOS before 10.13.5 is affected. tvOS before 11.4 is affected. watchOS before 4.3.1 is affected”.
It appears that the issues involved the pktmnglr_ipfilter_input in com.apple.packet-mangler in the “Kernel” component. A remote attacker could be able to execute arbitrary code in a privileged content or cause a denial-of-service condition with the help of a specially crafted app. ecurity restrictions could also be bypassed.
It should be noted that the security score for this set of flaws is quite high – 9.3.
Kernel Level Memory Corruption Vulnerabilities
Just last month Trustwave SpiderLabs security researchers uncovered a Webroot SecureAnywhere vulnerability that could allow threat actors to run malicious code in local kernel mode code. The vulnerability is assigned the CVE-2018-16962 advisory and is dubbed “Webroot SecureAnywhere macOS Kernel Level Memory Corruption.”
In technical terms, the vulnerability arms a threat actor with a write-what-where kernel gadget with the caveat that the original value of the memory referenced by the pointer must be equal to (int) -1, Trustwave explained.
The vulnerability was local, meaning that attacks had to be based on executing malicious code on the system, or social engineering tactics had to be deployed to trick users into running the exploit. This makes the exploit more complex and time-consuming for attackers, but it still is a potential threat to macOS users.