A new dangerous Mac OS bug has been exposed which allows hackers to hijack installed applications via an unusual route. This flaw is largely unknown to almost all Mac users and even administrators.
A Largely Unknown Mac OS Bug Allows Malicious Users To Manipulate Apps
A new security report showcases a new Mac OS bug which appears to be largely unknown to most users of the operating system. Abuse of it allows malicious users to hijack any installed applications and access their contents. The issue is caused by an improper check made by the system — the Mac OS computers will not execute applications (user-installed software) that are not code-signed. They will block the executable files that do not possess a valid signature. This is done in order for Apple to control the application environment — unsigned applications cannot be easily distributed easily and any updates will fail if the signature checks do not complete successfully.
Upon taking a closer look at this approach it appears that Apple perform checks for all installed applications. During this any executable file is given flagged — the code signature is performed and if it passes the flag will be removed. The removal of this initial flag will send a notice to the operating system labelling it as trusted software. Once this is Mac OS will no longer check the applications and run these security checks.
This control mechanism can be easily abused by hackers — essentially they need to replace the legitimate executable in an app bundle with a fake one. The original file can be renamed with another name. The proof-of-concept demonstration shows that this leads to abusive behaviour — the original app will be launched as usual however at the same time the malicious copy will also run in the background.
Prior incidents taking advantage of this vulnerability have all involved code modifications while this approach is easier to use. Potential abuse and exploit of Mac OS computers can be made even by beginner hackers.
The worrying fact here is that the security experts state that this is not likely that this particular vulnerability will be fixed as this is the way the OS functions. At the moment the short-time fix is for the developers to implement mandatory checks for their own signatures.