MacOS High Sierra protections can be bypassed, but will make security researchers and companies work more difficult
Hackers can bypass a new security feature in MacOS High Sierra to load malicious kernel extensions.
According to security researchers at Synack, the forthcoming update to MacOS features something called Secure Kernel Extension Loading” (SKEL). Patrick Wardle, chief security researcher at Synack, said that while the feature was “wrapped in good intentions”, in its current implementation, SKEL “merely hampers the efforts of the ‘good guys’” (ie 3rd-party MacOS developers such as those that design security products).
“Due to flaws in its implementation, the bad guys (hackers/malware) will likely remain unaffected,” he said in a blog post.
According to Apple’s Technical Note TN2459, Secure Kernel Extension Loading, is “a new feature that requires user approval before loading new third-party kernel extensions.”
Wardle said that while we might initially assume that that the main attack vector SKEL attempts to thwart is the (direct) loading of malicious kernel extensions (ie rootkits), he believed this is not the case.
“First, observe that (AFAIK), we have yet to see any signed kernel-mode MacOS malware! Since OS X Yosemite, any kexts have to be signed with a kernel code-signing certificate,” he said.
Offer Ends November 29th 2017. Hurry!!
Interesting article can be found here:
This login bug is unacceptable. I was seriously scandalized by this when the news first appeared, and now that they are trying to fix it with updates, we need to think how messed up the development must be if things like that are present.
Apple needs to be scrutinized.
LikeLiked by 2 people