Security Researcher Says Your Mac's Malware Protection Is Laughably Easy To Bypass

mac vs pc ads
Windows is insecure and dangerous, and Macs are safe and impenetrable, right? Haha, not so much. Microsoft's operating system certainly has its share of security flaws, but it's actually difficult to say which system software is more vulnerable. That's because intrepid hackers keep finding holes in macOS and its security protections like the one Mac security researcher (and former NSA hacker) Patrick Wardle just found.

At the Defcon hacker conference last weekend, Wardle presented his recent findings regarding Apple's macOS "Background Task Management" system. This is a component of macOS that runs in the background and watches for applications that establish "persistence," meaning essentially that they're installed to the system. When this happens, it's supposed to pop up a notification to alert the user; if you've just installed new software, no problem! If you didn't, though, it could be something malicious.

We say "supposed to pop up a notification" because, as Wardle found out, it's actually pretty easy to keep that from happening. In fact, in his words, "the implementation was done so poorly that any malware that's somewhat sophisticated can trivially bypass the monitoring." He demonstrated three ways to do so, and while one of the methods requires root access on the system—meaning it's not much of a threat—the other two not only don't need root, but in fact can be executed remotely.

mac background items notification
A Background Task Management notification.

Wardle operates a group called the Objective-See Foundation that offers free and open-source macOS security tools. He says that because he's created the same sort of software, he knows what the challenges are. That led him to wonder if Apple had overcome those challenges, and as you already know, it didn't. The security researcher says that "the feature needed a lot of work."

Fortunately for Mac users, these exploits don't actually present a surface of attack in and of themselves. Instead, they simply disable part of Apple's warning system, reducing overall system security. The real concern is that these exploits could be deployed as part of a larger attack, and the user may be none the wiser thanks to the disabled alert notifications.

Because Wardle revealed these bugs at Defcon without notifying Apple, there's no patch for these problems yet, but we expect Apple will have something to soothe scared users soon. In the meantime, stick to the usual security best practices and hope your device doesn't get pwned by another zero-day exploit.