The vulnerabilities presented at Def Con prove that Apple should reconsider its priorities in fixing bugs.
Patrick Wardle, a well-known macOS security researcher, presented at the recent Def Con conference the results of a study according to which the Background Task Management malware detection tool built into macOS contains several unpleasant vulnerabilities at once.
You can use them to bypass the autorun monitoring of the above-mentioned system utility, thereby reducing its effectiveness. The tool was added by Cupertino specialists to macOS Ventura in October 2022.
According to Wardle, there are no perfect ways to detect malware, since they are essentially software, just like any other application. Therefore, Apple and third-party companies are constantly developing new mechanisms to detect them.
Background Task Management is aimed at monitoring programs in system startup. Despite the fact that the autorun function is used by many legitimate programs, the unexpected appearance of new entries in autorun may indicate malicious activity. When such events are detected, the tool should send notifications to the user and third-party security systems.
However, Wardle found a number of ways to bypass monitoring of this tool, including without obtaining root access. It is noteworthy that the researcher decided to disclose the identified vulnerabilities at the Def Con conference without first notifying Apple, which is a classic practice in the field of baghunting.
This decision is due to the fact that Wardle previously informed the company about other shortcomings of this tool, which the company's specialists, although they eliminated, did not see the main thing — that a more integrated approach was needed. In a good way, Background Task Management needs to be rewritten from scratch, taking into account all known security flaws.
According to Wardle, one of the ways he found to bypass monitoring requires root access to the device. This vulnerability is important to fix, because attackers can sometimes gain such a level of access to the system and want to disable alerts in order to install as much malware as possible on the computer without being noticed.
Even more worryingly, however, Wardle found two other ways to disable the tool's alerts without root access at all. One of them exploits the error in interaction with the operating system kernel, and the other — the ability to suspend processes, available even to ordinary users. You can use this feature to stop sending notifications before they reach the user.
According to the researcher, eliminating these vulnerabilities will simply return macOS security to the level that it was before the Background Task Manager appeared.
Wardle's action can't be called correct, because by his actions, he actually told hackers where to attack, and even before the official patch from Apple was released.
However, he loudly declared the dampness of the Background Task Manager, which is unlikely that the Cupertino company will now be able to ignore. It is quite possible that in the future Apple will significantly rework this tool so that it meets all modern security standards.
Patrick Wardle, a well-known macOS security researcher, presented at the recent Def Con conference the results of a study according to which the Background Task Management malware detection tool built into macOS contains several unpleasant vulnerabilities at once.
You can use them to bypass the autorun monitoring of the above-mentioned system utility, thereby reducing its effectiveness. The tool was added by Cupertino specialists to macOS Ventura in October 2022.
According to Wardle, there are no perfect ways to detect malware, since they are essentially software, just like any other application. Therefore, Apple and third-party companies are constantly developing new mechanisms to detect them.
Background Task Management is aimed at monitoring programs in system startup. Despite the fact that the autorun function is used by many legitimate programs, the unexpected appearance of new entries in autorun may indicate malicious activity. When such events are detected, the tool should send notifications to the user and third-party security systems.
However, Wardle found a number of ways to bypass monitoring of this tool, including without obtaining root access. It is noteworthy that the researcher decided to disclose the identified vulnerabilities at the Def Con conference without first notifying Apple, which is a classic practice in the field of baghunting.
This decision is due to the fact that Wardle previously informed the company about other shortcomings of this tool, which the company's specialists, although they eliminated, did not see the main thing — that a more integrated approach was needed. In a good way, Background Task Management needs to be rewritten from scratch, taking into account all known security flaws.
According to Wardle, one of the ways he found to bypass monitoring requires root access to the device. This vulnerability is important to fix, because attackers can sometimes gain such a level of access to the system and want to disable alerts in order to install as much malware as possible on the computer without being noticed.
Even more worryingly, however, Wardle found two other ways to disable the tool's alerts without root access at all. One of them exploits the error in interaction with the operating system kernel, and the other — the ability to suspend processes, available even to ordinary users. You can use this feature to stop sending notifications before they reach the user.
According to the researcher, eliminating these vulnerabilities will simply return macOS security to the level that it was before the Background Task Manager appeared.
Wardle's action can't be called correct, because by his actions, he actually told hackers where to attack, and even before the official patch from Apple was released.
However, he loudly declared the dampness of the Background Task Manager, which is unlikely that the Cupertino company will now be able to ignore. It is quite possible that in the future Apple will significantly rework this tool so that it meets all modern security standards.
