Apple hits the alarm with multi-OS emergency update to patch zero-click flaw

Discussion in 'all things Mac' started by JRViejo, Sep 15, 2021.

  1. JRViejo

    JRViejo Super Moderator

    Joined:
    Jul 9, 2008
    Posts:
    97,440
    Location:
    U.S.A.
  2. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    This is exactly what I meant in the other topic, even on the iOS and macOS you might still get hit with zero day malware if you are unlucky enough to be tricked into opening certain files.
     
  3. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
  4. XIII

    XIII Registered Member

    Joined:
    Jan 12, 2009
    Posts:
    1,383
    Apparently that rogue version of iTerm2 was not notarized; wouldn't users get a warning when trying to execute this software?
     
  5. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    I'm not an expert on macOS security, but if Apple had to revoke the certificate on 15 september 2021, then I'm guessing that it would have been able to run freely before they decided to take action?
     
  6. 1PW

    1PW Registered Member

    Joined:
    Apr 2, 2010
    Posts:
    1,910
    Location:
    North of the 38th parallel.
    My faith in some of Apple's macOS security precautions continue to erode. Sigh...

    On the average, I use the terminal emulator replacement, iTerm2 for macOS Mojave (and above), about a half-dozen times per day. I originally installed, and keep it automatically updated, with the Homebrew package manager. I feel like I have unknowingly avoided a bullet!

    BTW, the official iTerm2 for macOS .zip archive file seems to be notarized (H7V7XYVQ7D) okay from George Nachman's https://iterm2.com server and the present build is 3.4.10.

    FWIW - iTerm2-3_4_10.zip SHA-256 hash: 40a62193582dd7c54e6f27e509bdb887ec864513b53d4003763d9e167e44a921

    HTH
     
  7. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Well, in this particular case they tried to lure you into some fake site, so it wasn't a true supply chain attack. So people who remain cautious wouldn't have fallen for this, but you can always have a bad day, so it's still tricky stuff. But the key is that it's able to bypass built-in macOS protection.
     
  8. XIII

    XIII Registered Member

    Joined:
    Jan 12, 2009
    Posts:
    1,383
    "not detected as malicious on VirusTotal", so (most?) third-party antivirus software would not have helped either...
     
  9. Alec

    Alec Registered Member

    Joined:
    Jun 8, 2004
    Posts:
    480
    Location:
    Dallas, TX
    Thanks for that article. I especially liked learning the handy way to validate the notarization status of an app via the command line...

    Screen Shot 2021-09-22 at 10.17.52 AM.png
     
  10. XIII

    XIII Registered Member

    Joined:
    Jan 12, 2009
    Posts:
    1,383
    Did not know either, and ran the same command on the same file...
     
  11. 1PW

    1PW Registered Member

    Joined:
    Apr 2, 2010
    Posts:
    1,910
    Location:
    North of the 38th parallel.
    Hello @Alec

    Your spctl command line solution is terrific for onesies and twosies.

    To ease the burden of verifying all executables in a directory, (e.g.~/Application), I have found that the notarized Signet v1.3 utility from The Eclectic Light Company is a good yet thorough time saver and can save its output in a .text file for later perusal.

    FWIW - Although likely harmless, I have deleted some years old un-notarized apps I had forgotten about.

    @Rasheed187 Yes. Somewhere along the line, Mac's Gatekeeper needs an upgrade to catch that fake iTerm2 type of malware. and Mac's Gatekeeper Compatibility Data has not been updated since November, 2020.

    Cheers
     
  12. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    It depends a bit, they would have failed to spot it via signatures, but via behavior blocking they may still have blocked it post-execution. That's why it's a pity that there are so few behavior blocking tools for the Mac. I guess the market simply isn't big enough, because I always wondered SpyShelter was never launched for the macOS.

    OK thanks for confirming this.
     
  13. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Another day, another zero day for iOS and macOS. And it's even being actively exploited according to both Google and Apple, so it's not just theory. It's a zero day in the OS kernel combined with a flaw in the WebKit engine from Safari to get malware up and running with full system privileges. :rolleyes:

    https://www.helpnetsecurity.com/2021/09/24/cve-2021-30869/
     
  14. 1PW

    1PW Registered Member

    Joined:
    Apr 2, 2010
    Posts:
    1,910
    Location:
    North of the 38th parallel.
    Unless someone can otherwise decipher the updates, Malwarebytes released DTBS 4.0.561 for Malwarebytes for Mac on 23-September-2021 and Apple has quietly released XProtectPlistConfigData: 2151 2021-09-24. One might hope these are quite helpful.

    HTH
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.