Serious MacOS Vulnerability Patched

Apple just patched a MacOS vulnerability that bypassed malware checks.

The flaw is akin to a front entrance that’s barred and bolted effectively, but with a cat door at the bottom that you can easily toss a bomb through. Apple mistakenly assumed that applications will always have certain specific attributes. Owens discovered that if he made an application that was really just a script—code that tells another program what do rather than doing it itself—and didn’t include a standard application metadata file called “info.plist,” he could silently run the app on any Mac. The operating system wouldn’t even give its most basic prompt: “This is an application downloaded from the Internet. Are you sure you want to open it?”

More.

Tags: , , , ,

Posted on April 30, 2021 at 7:38 AM7 Comments

Comments

farm co work April 30, 2021 10:18 AM

Average baby cost for first year-$3,067. That was 1980. Always work with a security blanket. If it’s not fun, you’re doing it all wrong.

Beatrix Willius April 30, 2021 11:09 AM

I read that and had to laugh. All the stupidity with the code certificates. Yes, Apple I really already signed the contracts for the nth time. All the hours and hours of work with notarisation. My app for ARM didn’t get codesigned because Apple found a html file in the wrong position offensive.

And a simple missing plist file gets around everything.

vas pup May 2, 2021 4:34 PM

Computer scientists discover new vulnerability affecting computers globally

https://www.sciencedaily.com/releases/2021/04/210430165903.htm

“A team o computer science researchers has uncovered a line of attack that breaks all Spectre defenses, meaning that billions of computers and other devices across the globe are just as vulnerable today as they were when Spectre was first announced.”

Read the whole article if interested in a subject.

Clive Robinson May 2, 2021 5:22 PM

@ vas pup.

Colour me unsurprised, I did warn these hardware “go faster stripes” like Spector were,

“The Xmas Gift that would keep giving”

So they have, and they will continue to do so for sometime yet to come.

In the article you will find,

“It is really unclear how to solve this problem in a way that offers high performance to legacy hardware, but we have to make it work,” Venkat said.

I actually see no reason why it should be fixed… Perhaps we should change the way we use computers instead… After all this fetish for connecting everything to the Internet so all your personal information gets stolen so often and so unnoticably. is in fact the major desire of Silicon Valley, the SigInt agencies, and of recent times every knuckle dragger who drags their flat feet along the thin blue line that points to the coffee and doughnut stand.

Perhaps, it will make people start to realise what a terrible idea bot just the Internet but the Cloud realy is and rethink the way they do things.

But we all know what is actually going to happen, people are going to whinge and whine but then do absolutly nothing proactive “Because…”.

But, I’m waiting for the “jump to expload the CPU” bug to be found. That is there is almost certainly a combination of tricks that will damage the CPU, it’s just that people are to afraid to realy go looking… Imagine what could happen if the next marketing inspired “Go Faster Hardware Stripe” that is found to be deficient, partially or fully damages all the CPU’s of the past decade?

What would you do with such knowledge?

With all those connected computers just waiting for the “worm of doom” to be made and knock on their network card…

The obvious statment would be “only the disconnected would survive”…

vas pup May 2, 2021 5:40 PM

@Clive
Thank you for your invaluable as usually input.
I agree with your point, but IT giants behaving like their legal departments: who can ever understood all hidden bugs and prevent IT moguls to exploit for their profits your activity on the Internet AND by the same token understood their multiple pages of legalize privacy and/user agreements which are built like you have many rights on pages e.g.1-5, but then all other pages basically negate all of those rights declared. Without changing the whole paradigm in favor of average user, nothing is going to change – that is my humble understanding!

Clive Robinson May 3, 2021 3:28 AM

@ vas pup,

Without changing the whole paradigm in favor of average user, nothing is going to change – that is my humble understanding!

Mine to, in fact I expect it to get worse a whole lot worse, see what Microsoft have been doing, supposadly for “reputational reasons”. But the reality is they are becoming more and more a “Deputized Law Enforcment Officer” at near zero cost to the Government. Which if you remember was what the FBI and DoJ was trying to force with their case against Apple then pulled the rip cord when Apple faught back sufficiently that the Magistrate in the case was clearly comming to the decision that the FBI & DoJ were in the wrong[1].

So history shows with things like pandemics you need a major driver to change social behaviour to the benifit of the ordanary citizen not the entitled elites.

The recent SolarWinds attacks alledgedly from both Russia and China according to the US Gov, have got into societies imagination at a level more than previous attacks. With the US economy now switched over to “homeworking” the thought that none of those machines can be secure and demonstrated as such when “connected” might just be sufficient to tip the balance into more secure “issolated system” opperation[2].

If we don’t put more emphasis on security thus privacy, as I’ve indicated befor, society is only going to move in one direction, and that is most definitely not going to end well.

[1] I do not believe the “career staff” in the FBI or DoJ psychos have given up on this idea. So I fully expect they will try it again all be it in a different way, at some point in the future, even if legislators give them more and more (because like drug addicts that think they are in control they are not going to stop untill others force them to, it’s why we’ve had the two Crypto Battles and we’ve many more to fight).

[2] The cost of going to “issolated computing” or some measure of air/energy gapping, is actually going to be cheaper for “home workers” than other security measures to correct the problem. As I’ve explained in the past a “two computer gapped with instrumented crossing” solution will work. The price of the extra hardware will oddly result in savings after the initial investment. As for cloud computing… Well the hit of continuing down that path is going to get exponentialy more expensive security wise…

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.