While most Mac owners tend to be fairly safe from malicious software, nobody’s immune. Apple continuously works to strengthen macOS against malware but doesn’t always get it right. During his recent demonstration at a security conference, researcher Patrick Wardle demonstrated a troubling vulnerability in Background Task Manager, one of Apple’s latest attempts to thwart malware infections.
The Debut of the Background Task Manager and Its Notifications
Apple developed a unique tool known as the Background Task Management system. This tool’s primary role is to monitor software for what is termed “persistence”. Essentially, malware can exhibit two types of behavior. It might be transitory, functioning briefly on a device, or only until you restart your computer. Conversely, some malware embeds itself more profoundly, remaining intact even after a device shutdown and subsequent reboot. Many authentic software applications require this persistence. It ensures that every time you power up your device, your apps, data, and settings remain as they were. However, if software gains persistence spontaneously or inexplicably, it may hint at malicious intent.
To address this and help combat malware, Apple incorporated the Background Task Manager into macOS Ventura. This feature alerts both users and any third-party security applications in use on the system whenever it detects a “persistence event.” As a result, if you’re aware of a recent software download or installation, you can overlook the alert. However, if it comes as a surprise, it offers an opportunity to probe for potential system compromise.
Unveiling the Shortcomings of Background Task Manager
At the Defcon hacker conference in Las Vegas, Mac security researcher Patrick Wardle unveiled findings about vulnerabilities in Apple’s macOS Background Task Management system. Wardle warns that malware can exploit these flaws to bypass, and therefore defeat, the company’s recently added monitoring tool.
Upon its initial release, Wardle found the Background Task Manager to have some fundamental flaws. These issues were causing persistence event notifications to malfunction. Wardle brought these problems to Apple’s attention, which promptly rectified the reported errors. However, deeper issues within the tool remained unidentified by the company.
Discussing his exchanges with Apple, Wardle described the situation.
We went back and forth, and eventually, they fixed that issue, but it was like putting some tape on an airplane as it’s crashing. They didn’t realize that the feature needed a lot of work.
Wardle’s comments underscore the necessity of a comprehensive review and reworking of the tool. It’s clearly not enough to just address the apparent glitches. Apple’s tool for monitoring software persistence is a step in the right direction. However, the security researcher’s findings at Defcon point to a poorly executed implementation. According to Wardle, speaking to Wired:
There should be a tool [that notifies you] when something persistently installs itself, it’s a good thing for Apple to have added, but the implementation was done so poorly that any malware that’s somewhat sophisticated can trivially bypass the monitoring.
The Triviality of Bypassing the Security, Embedding Malware Into macOS
One of the bypasses Wardle found does require root access to the target device, granting attackers full control. Though this level of access may seem extensive, it is crucial to address the associated bug since hackers can occasionally gain this access and might seek to halt notifications to facilitate unhindered malware installation.
More disconcertingly, though, Wardle disclosed two avenues for bypassing the persistence notifications that do not require root access. One exploit exploits a bug in the communication between the alerting system and the computer’s operating system core, known as the kernel. Another takes advantage of a feature that allows users, even without extensive system privileges, to suspend processes. Wardle discovered that malicious developers could manipulate this feature to interrupt persistence notifications before reaching the user. In other words, the feature could actually help malware infections on macOS rather than preventing them.
Wardle opted to reveal these bugs at Defcon without prior notification to Apple, having previously alerted the company to flaws in the Background Task Manager. He had hoped that the company would undertake a more thorough improvement of the tool. Wardle acknowledges that bypassing this monitoring merely reverts macOS security to its status a year prior, before the tool’s debut. However, he emphasizes the concerns arising from Apple releasing seemingly hurried or insufficiently tested monitoring tools, which may provide users and security vendors with a misleading sense of security.
Protecting Your Mac from Malware
To take a serious step forward in protecting your Mac from viruses and malware, it’s best not to rely solely on the operating system’s built-in security measures. You should install and regularly run some form of virus protection on your Mac.
Intego’s VirusBarrier for Mac stands out as a premier antivirus solution in a crowded market, frequently earning high marks in virus detection tests conducted by AV-Comparatives. The solution has consistently demonstrated its ability to identify the majority of online threats that could potentially affect your Mac.
A standout feature of VirusBarrier is the quarantine section, which houses infected or suspicious files, ensuring they are isolated from the rest of your system. Additionally, the trusted files section is a designated space for files deemed safe, which the program will subsequently bypass during scans.
Intego’s Mac Internet Security X9 suite incorporates a NetBarrier Firewall function, actively monitoring inbound and outbound web traffic across your Apple devices. This vigilant watch ensures a robust line of defense against potential threats. Furthermore, the Safe Browsing feature equips users to navigate the web securely on both Mac and mobile browsers, safeguarding against malicious content.
For users seeking a more comprehensive suite of security tools, Intego offers an expanded antivirus package – the Mac Premium Bundle. Beyond the inclusion of VirusBarrier and NetBarrier, this bundle is augmented with additional utilities, including the Mac Washing Machine for optimizing system performance, Personal Backup for safeguarding essential data, and ContentBarrier for customizable internet filtering and parental controls.