SafeUM
Home Blog Services Download Help About Recharge

Axarhöfði 14, 110 Reykjavik, Iceland

Iceland - 2015
SafeUM
Blog
Services
Download
Help
About
Recharge
Menu
Archive
TOP Security!
18 Sep 2017

Hackers can bypass new protections in MacOS High Sierra

Hackers can bypass a new security feature in MacOS High Sierra to load malicious kernel extensions.

According to security researchers at Synack, the forthcoming update to MacOS features something called Secure Kernel Extension Loading” (SKEL).

Patrick Wardle, chief security researcher at Synack, said that while the feature was “wrapped in good intentions”, in its current implementation, SKEL “merely hampers the efforts of the ‘good guys'” (ie 3rd-party MacOS developers such as those that design security products). “Due to flaws in its implementation, the bad guys (hackers/malware) will likely remain unaffected,” he said in a blog post. According to  Apple's Technical Note TN2459, Secure Kernel Extension Loading, is “a new feature that requires user approval before loading new third-party kernel extensions.”

Wardle said that while we might initially assume that that the main attack vector SKEL attempts to thwart is the (direct) loading of malicious kernel extensions (ie rootkits), he believed this is not the case. “First, observe that (AFAIK), we have yet to see any signed kernel-mode MacOS malware! Since OS X Yosemite, any kexts have to be signed with a kernel code-signing certificate,” he said. Wardle added that unlike user-mode Developer IDs, Apple is incredibly ‘protective' of such kernel code-signing certificates – only giving out a handful to legitimate 3rd-party companies that have justifiable reasons to create kernel code.

“As security features are often costly to implement, they are generally introduced to reactively address widespread issues,” he said. He added that instead, the main (security) goal of SKEL is to block the loading of legitimate but (known) vulnerable kexts. “Until Apple blacklists these kexts via the OSKextExcludeList dictionary (in  AppleKextExcludeList.kext/Contents/Info.plist), attackers can simply load such kexts, then exploit them to gain arbitrary code execution within the context of the kernel,” he warned.

He said that the feature can also block the direct loading of maliciously signed kexts, so it seems its main aim is to thwart the loading of known vulnerable drivers for malicious purposes. In his blog, he outlined how a hacker could bypass SKEL protection in MacOS High Sierra.

“We exploit an implementation vulnerability in SKEL that allows us to load a new unapproved kext, fully programmatically, without any user interaction. A single implementation flaw in SKEL may allow us to fully bypass it. Apple on the other hand, has to protect against everything. So, we're always going to win...sometimes after just 20 minutes of poking,” he said.

“Unfortunately, when such ‘security' features are introduced – even if done with the noblest of intentions – they often just complicate the lives of 3rd-party developers and users without affecting the bad guys (who don't have to play ‘by the rules'). High Sierra's SKEL's flawed implementation is a perfect example of this,” he said.

“Of course, if Apple's ultimate goal is simply to continue to wrestle control of the system away from its users, under the guise of ‘security', I'm not sure any of this even matters.” Apple will release MacOS High Sierra (10.13) on 25 September.


Download SafeUM — communicate privately, without advertising and spam.

Tags:
hackers information leaks
Source:
SC Media
1436
Other NEWS
3 Jul 2020 safeum news imgage An encrypted messaging service has been infiltrated by police
4 May 2020 safeum news imgage Two-Factor Authentication ​What Is It and Why You Should Use It
12 Dec 2019 safeum news imgage Encryption is under threat - this is how it affects you
4 Nov 2019 safeum news imgage Should Big Decisions Be Based on Data or Your Intuition?
7 Jun 2018 safeum news imgage VPNFilter malware infecting 500,000 devices is worse than we thought
4 Jun 2018 safeum news imgage Hackers target Booking.com in criminal bid to steal hundreds of thousands from customers
1 Jun 2018 safeum news imgage Operator of World's Top Internet Hub Sues German Spy Agency
30 May 2018 safeum news imgage US says North Korea behind malware attacks
29 May 2018 safeum news imgage Facebook and Google targeted as first GDPR complaints filed
25 May 2018 safeum news imgage A new reason to not buy these cheap Android devices
24 May 2018 safeum news imgage Flaws in smart pet devices, apps could come back to bite owners
23 May 2018 safeum news imgage Google sued for 'clandestine tracking' of 4.4m UK iPhone users' browsing data
21 May 2018 safeum news imgage LocationSmart reportedly leaked phone location data onto the web
18 May 2018 safeum news imgage The SEC created its own scammy ICO to teach investors a lesson
17 May 2018 safeum news imgage Thieves suck millions out of Mexican banks in transfer heist
All news
SafeUM
Confidential Terms of Use Our technologies Company
Follow us
Download
SafeUM © Safe Universal Messenger

Axarhöfði 14,
110 Reykjavik, Iceland

Iceland - 2015