If you haven’t already, you should update your Mac right now. A recently patched zero-day vulnerability in macOS operating systems has been allowing hackers to bypass much of Apple’s security protocols and deploy malware on an unknown amount of computers, new research shows.
The bug, which was discovered in March by security researcher Cedric Owens, would have allowed a malicious script to be downloaded onto “all recent versions of macOS,” including macOS versions 10.15 to 11.2. Thankfully, the new macOS 11.3 includes an update that patches the security hole.
Researchers say the vulnerability created a work-around for key macOS security features, including Gatekeeper, File Quarantine and the company’s Notarization security check, all of which are designed to catch and block malicious programs from being downloaded from the internet.
According to Owens, a hacker could hypothetically use the security flaw to sneak a malicious program onto a computer. Owens did his own research, creating a test program which he was able to hide inside an innocuous-looking document and sneak by the security programs meant to verify that a program came from a known developer.
“This bug trivially bypasses many core Apple security mechanisms, leaving Mac users at grave risk,” said another security researcher, Patrick Wardle, in a technical blog he wrote about the bug.
“This is likely the worst or potentially the most impactful bug to everyday macOS users,” he later told Vice News.
Hackers have been actively exploiting the bug, too—though the compromise strategies that have been uncovered seem fairly clumsy and require a user to download and and run an unknown internet program. The iOS endpoint protection company Jamf Protect reports that, earlier this year, the security flaw was seeing exploitation in the wild by hackers using Shlayer malware—a malicious adware that is one of the more common forms of malware known to target macOS systems.
“The exploit allows unapproved software to run on Mac and is distributed via compromised websites or poisoned search engine results,” Jamf researchers wrote.
In most cases, the bad sites would prompt a user to download an unsolicited software package and, should the user be foolish enough to attempt to install it, they would get a whole bunch of malware on their computer, instead.
When reached via email, an Apple spokesperson said that the company had taken immediate action to fix the vulnerability.
“This issue does not enable a bypass of XProtect, Gatekeeper’s malware detection, but it allows malware to skip the notarization requirement and the display of the Gatekeeper dialogue box,” said the spokesperson. “After discovering this issue, we rapidly deployed XProtect rules to block the malware we detected using this technique. These rules are automatically installed in the background and retroactively apply to older versions of macOS.”