[German]Security vendor Tenable has uncovered several security-related issues affecting macOS application installers at once. One of these problems is the possibility to bypass macOS' standard security mechanisms regarding signed application installers. These are actually supposed to prevent the execution of malicious scripts. Tenable also warned all application developers of a potential vulnerability to watch out for when creating installers for their applications. These vulnerabilities have not yet been fixed, Tenable said in a recent announcement.
Installing new applications is something every macOS user is familiar with. The vulnerabilities identified by Tenable and disclosed in this blog post have the potential to affect every Apple user when installing new application. This is especially true for applications, such as Microsoft Teams, that require users to enter a password before installation.
The identified vulnerabilities could also allow cybercriminals who have previously gained access to the system to elevate their privileges without informing the user. This would give an attacker complete control over the user's system. This could allow the attacker to spread malware, steal confidential information, or perform a number of other criminal activities.
Problems not yet fixed: Apple sees it by-design
Apple has stated that the security bypass method identified by Tenable is expected behavior and works as intended. Apple also stated that Tenable's recommended security enhancement for the installer subsystem is the responsibility of individual developers and is not a security issue, although a similar issue reported in 2020 has already been fixed.
Another interesting note
Yesterday, new (external) research revealed that the malware used in the SolarWinds attack's hacking toolkit had modified or abused installer functions to further its attacks. Tenable explains in its blog the "how" of this type of attack, but specifically targeting macOS. The link – aside from similarities in the attack vector – shows that this is a type of attack that is unfortunately largely misunderstood or ignored by enterprises.
Cookies helps to fund this blog: Cookie settings