Al Suwaidi found a vulnerability in Mac OS: “serious for several reasons”

On a daily basis, he does not look for vulnerabilities, but writes code for F-Secure’s antivirus software. At the start of December, Rasmus Sten worked to test his own software and how it handles zip files, i.e. the file format for zip files.

– I downloaded zip files again and again, while looking at the logs from Mac OS. Then I spotted mysterious error messages, as the operating system handled something wrong, says Rasmus Steen.

Find out that Mac OS sometimes skips a step to make sure the downloaded files are safe. To understand what happened, you need to understand how Apple’s operating system protects itself, in four layers.

The file has been orphaned

When an executable file is downloaded and double-clicked, the first layer of security is activated: the file is quarantined while the user receives a warning.

If the user chooses to continue, then comes the next step, called Gatekeeper. Then Apple’s system checks if the software has been signed by an authorized developer. If not, you can play the file by double-clicking on it, but only by right-clicking.

The third step is documentation, a quick review where Apple performs a software analysis to find bugs or malware.

Finally, Apple’s Xprotect antivirus software searches the file for known malicious content.

“They can cause great harm.”

What Rasmus Steen discovered is that the operating system sometimes skips steps 2 and 3.

It didn’t look that serious at the time, but I thought I’d report it to Apple anyway. And when I started documenting it and going through all the numbers, I discovered that you can polish it up and get a zip file that looks almost completely normal, which bypasses security checks, says Rasmus Steen, and develops the location of the problem:

When decompressing a zip file into a series of other files, Mac OS should keep track of where everyone is coming from. He adds that this link was weak.

What could the vulnerability be used for?

It can, for example, be used by a user who receives an email that appears to come from Spotify with a link to a new version of the program. When the user downloads it, it looks like Spotify, but it contains malware that infiltrates the computer. Because the protection isn’t working as it should, Rasmus Steen says, it could have caused massive damage.

The problem was solved last week

Rasmus Sten doesn’t know if the last layer of protection, the Xprotect antivirus, has stopped a malicious file that entered the system. But even so, that was a serious flaw, according to him and IT security coach Karl Emil Nika, who runs the security company Nikka Systems.

Finding a method that can bypass multiple steps to protect Mac OS is dangerous due to technical reasons. But it’s also dangerous for psychological reasons: Many Mac users believe in legend that there are no viruses for Macs, and are thus willing to take greater risks, Nikka says.

Thus Rasmus Sten discovered the bug in early December, but it was only last week that Apple solved the problem. So, now he just wants to tell us what happened, but since not all users directly update their systems, he doesn’t go into all of the details.

Update your OS as soon as possible

It took almost five months from the time Apple discovered the problem for a solution to be found. It came in connection with a major security update, which usually happens once or twice every three months. The latest fixes for more than 60 vulnerabilities.

I don’t know how Apple thought, they’re very calm. Since there is no indication that this is used, they might not be in a hurry. Of course, we’d love to see it go faster, but maybe Apple needed to go deeper into the system to fix that, says Rasmus Steen.

On the question of what you as a user should do to protect yourself from this type of vulnerability, the IT experts agree.

The advice is to always install security updates as soon as they are available. Also, don’t run Mac OS versions that are no longer maintained by Apple. Mac OS 11, 10.15 and 10.14 is currently under maintenance. Version 4 older, 10.13, no longer receives updates. If you are using an older OS, you should be aware that it is not safe, says Karl Emil Nikka.

You must keep the operating system up to date at all times. It gets a bit boring, updates difficult to install, and time-consuming, which is something Apple is working on. But it is worth it, says Rasmus Steen.