Mac computers have enjoyed decades of a reputation of being safer than their Windows counterparts. However, that reputation is now dwindling as hackers have set their eyes on macOS.
An exploit chain, which was demonstrated at Black Hat 2020, could allow attackers to deploy malware using an MS Office document with macros. The exploit chain includes:
- A previously disclosed high-severity vulnerability - CVE-2019-1457 - a security bypass in MS Office. This vulnerability is still in action in recent versions of Office for Mac.
- A sandbox escape released in mid-2018. It exploited a sandbox exception in Office’s sandbox profile.
- The last link in the chain was the complete bypass of Apple’s notarization requirements. Patrick Wardle achieved this by abusing the Archive Utility app in macOS.
What does this imply?
This implies that, in case of this exploit, if a user receives a Microsoft Office document and opens it, the executable will automatically run without any prior explicit user approval.
- Another exploit was discovered in July that is capable of bypassing the operating system’s security protections and file privacy. This exploit targets the Transparency, Consent, and Control (TCC) framework in macOS Mojave.
- In late June, a new strain of the EvilQuest malware was observed that included information stealing and anti-analysis functions, along with a list of security tools to be checked and terminated to evade detection.
Macros are being increasingly abused by cyber crooks. Apple has created notarization checks to prevent malicious codes from executing on macOS. However, the recent exploit chain demonstrated by researcher Patrick Wardle has bypassed those security protections.
The bottom line is that although macOS has been considered one of the most secure systems, threat actors have started putting a lot of effort into hacking Apple’s operating system. Different types of attacks on macOS are gaining popularity and yet, the research and security community has still not paid enough attention to these.