Among macOS 11.3’s update is a fix for an insidious 0-day that bypassed all of the OS’s built-in defenses. Dan Goodin at Ars Technica has a good layperson’s overview:
Apple engineers know that trojans represent a bigger threat to most Mac users than more sophisticated exploits that surreptitiously install malware with minimal or no interaction from users. So a core part of Mac security rests on three related mechanisms:
- File Quarantine requires explicit user confirmation before a file downloaded from the Internet can execute.
- Gatekeeper blocks the installation of apps unless they’re signed by a developer known to Apple.
- Mandatory App Notarization permits apps to be installed only after Apple has scanned them for malware.
Earlier this year, a piece of malware well known to Mac security experts began exploiting a vulnerability that allowed it to completely suppress all three mechanisms. Called Shlayer, it has an impressive record in the three years since it appeared.
Perhaps most distressingly, part of this vulnerability—which bypasses all of macOS’s built-in security measures—was discovered totally by chance in a legitimate development tool.
While the bug has been patched in 11.3, it is a sobering reminder that even the best constructed defenses can have pretty big holes in them.
Security researcher Patrick Wardle, who developed a proof of concept for the malware, has a very extensive and technical look at the vulnerability, if you’re into that sort of thing, along with a Python script that can tell you whether or not you’ve been targeted.