You can update your Mac right now if you haven’t already. According to new research, a recently patched zero-day vulnerability in macOS operating systems has enabled hackers to circumvent most of Apple’s security protocols and instal malware on an undisclosed number of computers.
A malicious script may have been copied into “all new versions of macOS,” including macOS versions 10.15 to 11.2, thanks to a flaw found by security researcher Cedric Owens in March. Thankfully, the latest macOS 11.3 provides a security update that closes the gap.
The loophole, according to researchers, provided a workaround for core macOS protection features such as Gatekeeper, File Quarantine, and the company’s Notarization security scan, which are both intended to detect and prevent malicious programmes from being downloaded from the internet.
A hacker might theoretically use the security loophole to slip a malicious programme into a device, according to Owens. Owens conducted his own testing, writing a prototype programme that he was able to conceal inside a seemingly harmless text and bypass authentication programmes designed to ensure that a programme originated from a recognised creator.
In a technical blog post about the bug, another security researcher, Patrick Wardle, said, “This bug trivially bypasses several key Apple security protocols, putting Mac users at grave risk.”
He later told Vice News, “This is definitely the worst or probably the most impactful bug to daily macOS users.”
Hackers have been deliberately leveraging the flaw as well, but the intrusion techniques that have been discovered seem to be somewhat sloppy, requiring a user to download and execute an unfamiliar internet application.
The security loophole was reportedly exploited in the wild earlier this year by hackers using Shlayer malware, a malicious adware that is one of the most prevalent types of malware known to attack macOS systems, according to Jamf Secure, an iOS endpoint defence firm.
In most scenarios, the poor pages will prompt a consumer to download an unsolicited software kit, which, if the user is stupid enough to want to instal it, might infect their machine with a slew of malware.
An Apple representative said the firm had taken prompt steps to patch the flaw when contacted by email.