MacOS Notarization protocols overcome by software flaw

In a significant shift for the cybersecurity landscape, malware detections on Mac computers have hit a record low in 2021. This drop outpaced similar infections in Windows systems in 2019, marking a notable change in the cybersecurity landscape.

The decline in malware detections is attributed to a variety of factors, including the increasing adoption of Apple products in the enterprise, which has altered the way IT departments manage and support historically Windows-heavy computer systems.

However, this positive trend was momentarily disrupted by the discovery of a bug that affected around 30,000 Macs. This bug, discovered by security researcher Linus Henze, allowed certain malicious actions to bypass security protocols such as Apple's File Quarantine or notarization.

The bug, which affected macOS versions 10.5 to 11.2, did not prompt alerts or blocks for malicious material. This made it particularly insidious, as it could misclassify quarantined items, potentially allowing harmful software to operate undetected.

The malware that exploited this bug was not the well-known Shlayer, but rather Silver Sparrow. Interestingly, Silver Sparrow did not mimic typical adware that targets macOS, and even had two versions for Apple's new M1 chips.

The Shlayer malware, on the other hand, has been exploiting this bug since January 9, according to Jamf researchers. This malware, which represents a small fraction of total detections, accounted for 76% of detections as PUPs (Potentially Unwanted Programs), with adware accounting for 22%, and malware a mere 1.5%.

Despite this brief setback, the quarantine, Gatekeeper, and notarization processes in macOS continue to play a crucial role in maintaining the hardened security reputation that Apple products enjoy. These processes prohibit unverified software or documents from downloading if malicious content is detected, and provide users with a description of flagged software to make informed choices about downloads.

In a recent survey by Jamf and Vanson Bourne, more than three-quarters of users in companies using both Mac and non-Mac computers believe Macs are more secure. This belief, coupled with the ongoing efforts of Apple and security researchers, suggests that the future of Mac security remains promising.

As of now, the latest macOS bug has been fixed with the release of the update available in MacOS version 11.3. The enterprise presence of Apple products is still finding its footing outside the consumer realm, but with continued advancements in security and usability, it is poised to make a significant impact in the coming years.