When Apple released the latest version, 11.3, for macOS on Monday, it didn’t just introduce support for new features and optimizations. More importantly, the company fixed a zero-day vulnerability that hackers were actively exploiting to install malware without triggering core Mac security mechanisms, some that were in place for more than a decade.
Together, the defenses provide a comprehensive set of protections designed to prevent users from inadvertently installing malware on their Macs. While one-click and even zero-click exploits rightfully get lots of attention, it’s far more common to see trojanized apps that disguise malware as a game, update, or other desirable piece of software.
Protecting users from themselves
Apple engineers know that trojans represent a bigger threat to most Mac users than more sophisticated exploits that surreptitiously install malware with minimal or no interaction from users. So a core part of Mac security rests on three related mechanisms:
- File Quarantine requires explicit user confirmation before a file downloaded from the Internet can execute
- Gatekeeper blocks the installation of apps unless they’re signed by a developer known to Apple
- Mandatory App Notarization permits apps to be installed only after Apple has scanned them for malware
Earlier this year, a piece of malware well-known to Mac security experts began exploiting a vulnerability that allowed it to completely suppress all three mechanisms. Called Shlayer, it has an impressive record in the three years since it appeared.
Last September, for instance, it managed to pass the security scan that Apple requires for apps to be notarized. Two years ago, it was delivered in a sophisticated campaign that used novel steganography to evade malware detection. And last year, Kaspersky said Shlayer was the most detected Mac malware by the company’s products, with almost 32,000 different variants identified.
Shlayer’s exploitation of the zero-day, which started no later than January, represented yet another impressive feat. Rather than using the standard Mach-O format for a Mac executable, the executable component in…