At the recent Defcon hacker conference held in Las Vegas, security researcher Patrick Wardle showed a new vulnerability in macOS, which can bypass the triple protection mechanism set by Apple and steal Device Sensitive Data.
Apple has set up a triple protection mechanism, which is briefly summarized as follows:
- Block malware launch or execution: App Store or access control combined with notarization
- Prevent malware from running on customer systems: Gatekeeper, Notarization and XProtect
- Fix executed malware: XProtect
Wardle reported to Apple last year a vulnerability that could bypass the triple protection mechanism and created related tools to verify the feasibility.
It’s just that Apple still hasn’t adopted the vulnerability he reported, so he decided to share the side-channel attack method he discovered at the Defcon hacker conference.
Wardle has so far discovered three attack methods, one of which requires root access to the target Mac device, while the other two do not require root privileges.
The translation part is as follows:
"Wardle also discovered two vulnerabilities that don't require root access to execute, disabling the background task manager that sends persistent notifications to users and security monitoring products. One of the vulnerabilities exploits a bug in how the alarm system communicates with the core of a computer's operating system, known as the kernel. Another exploited a vulnerability that allowed users, even those without deep system privileges, to put processes to sleep. Wardle discovered that this feature can be manipulated to hijack persistent notifications before they reach the user."