At the Defcon hacker conference in Las Vegas, longtime Mac security researcher Patrick Wardle presented findings today about vulnerabilities in Apple's macOS Background Task Management mechanism, which could be exploited to bypass and, defeat the company's recently added monitoring tool.
The Tame Apple Press rushed to point out that there was no foolproof method for catching malware on computers with perfect accuracy, but it appears that this method is a silly approach.
Apple's Background Task Management tool focuses on watching for software "persistence." Malware can be designed to be ephemeral and operate only briefly on a device or until the computer restarts. But it can also be built to establish itself more profoundly and "persist" on a target even when the computer is shut down and rebooted. Lots of legitimate software needs persistence so all of your apps and data and preferences will show up as you left them every time you turn on your device.
But if software establishes persistence unexpectedly or out of the blue, it could be a sign of something malicious.
Apple added Background Task Manager in macOS Ventura, launched in October 2022, to send notifications directly to users and to any third-party security tools running on a system if a "persistence event" occurs.
If you know you just downloaded and installed a new application, you can disregard the message. But if you didn't, you can investigate the possibility that you've been compromised.
Wardle said that he has been writing similar code for ages so he knows what is wrong with Apple’s approach.
“The implementation was done so poorly that any malware that’s somewhat sophisticated can trivially bypass the monitoring… Malware can persist in a manner that is completely invisible.”
Wardle discovered some more basic issues with the tool that caused persistence event notifications to fail. He reported them to Apple, and the company fixed the error. But the company didn't identify deeper issues with the tool.
“We went back and forth, and eventually, they fixed that issue, but it was like putting some tape on an airplane as it’s crashing. They didn't realize that the feature needed a lot of work.”
One of the bypasses Wardle presented on Saturday requires root access to a target's device, meaning that attackers need to have full control before they can stop users from receiving persistence alerts. The bug related to this potential attack is important to patch because hackers can sometimes gain this level of access to a target and might be motivated to stop notifications so they can install as much malware as they want on a system.
More concerning is that Wardle also found two paths that don't require root access to disable the persistence notifications Background Task Manager is supposed to send to the user and to security monitoring products.
One of these exploits takes advantage of a bug in how the alerting system communicates with the core of a computer's operating system known as the kernel. The other capitalises on a capability that allows users, even those without deep system privileges, to put processes to sleep. Wardle found that this capability can be manipulated to disrupt persistence notifications before they can get to the user.
Wardle says he chose to release these bugs at Defcon without first notifying Apple because he had already notified the company about flaws in Background Task Manager that could have led it to improve the tool’s overall quality more comprehensively.