back to article Apple's macOS Gatekeeper asleep on the job: Exploited flaw put users 'at grave risk' of malware infection

Apple has released macOS 11.3, fixing a serious flaw that allowed an attacker to sneak malicious files past the operating system's Gatekeeper security mechanism. Gatekeeper is one of the primary macOS defenses against the installation of malware, explained Cedric Owens, the security researcher who found the bug, in a message …

  1. Dan 55 Silver badge

    Mavericks

    Can't find if this a problem on Mavericks and if so will Apple be backporting the fix.

    And they should do because many people won't update past Mavericks for obvious reasons.

    1. martyn.hare
      Alert

      Why would they?

      The Apple support policy is to cover the current release plus the two prior releases for security-related updates, providing what amounts to a minimum of total of 3 years coverage per major release. Also, all hardware is fully supported for security patches for at least 7 years from the listed date of the device these days. By comparison, Windows 10 Pro offers 18 months worth of patches for a given major release and most OEMs only support hardware with required BIOS updates and other patches for 5 years these days if you’re lucky.

      Unless you’re willing to take a punt on a Librem device and run an LTS Linux distro with only the LTS-supported components (e.g. RHEL-based) the days of expecting old stuff to be patched are long gone,

      1. Slipoch

        Re: Why would they?

        The difference between these arguments is that MS considers an in OS change a major version change, whereas Apple considers a new OS a major version change.

        So if windows 10 is kept up to date you are looking at a far longer period of support, especially considering 7 still had security updates even after 8 came out, and kept getting them for 11 years after release.If you are on some of the more specialised branches (embedded scientific devices etc.) you are still getting support patches today.

        1. Charlie Clark Silver badge

          Re: Why would they?

          Microsoft's decision to stick with the name Windows 10 when pushing out "feature updates" indicates that it is moving towards Apple's policy. It's probably only due to the large enterprise customer base that it will continue to provide support for older versions.

          While I can understand Apple's general approach, I have occasionally been extremely annoyed by their insistence on fixing some bugs only in new versions: a bug in Bluetooh in Lion was particularly annoying and AFAIK never fixed. There are always good reasons for not upgrading immediately to the latest MacOS as evinced by the frequency of subsequent patches.

    2. elbisivni

      Re: Mavericks

      Regrettably not. It appears that the last security update for Mavericks was 13F1911, in late 2016.

      Forgive me for asking - what is the obvious reason why people won't update beyond Mavericks? Old version of Adobe's suite?

      1. katrinab Silver badge

        Re: Mavericks

        I'm guessing old hardware that isn't officially supported in later releases.

        My mid-2010 MacBook Pro isn't officially supported beyond High Sierra which is no longer in support, though it is possible to hackintosh Mojave onto it.

        1. stungebag

          Re: Mavericks

          My early-2009 iMac is running Catalina, fairly happily it seems. Can't say for certain as I've dumped it on the Mrs.

          1. DJV Silver badge

            Re: I've dumped it on the Mrs

            Ooh, I bet that hurt!

      2. Dan 55 Silver badge
        FAIL

        Re: Mavericks

        Oh crap, I meant Mojave.

        California landmarks mean nothing to me, they should have stuck with the cats.

        Icon for me.

        1. gnasher729 Silver badge

          Re: Mavericks

          The number of big cats is quite limited, and they would have run out by now. They already used the complete Wikipedia list of "Big Cats", plus "Mountain Lion" which is not on that list.

          1. WolfFan Silver badge

            Re: Mavericks

            I’ve said it before, I’ll say it again: macOS Sabretooth would have been awesome. And then there’s Cave Lion, Clouded Leopard, and, of course, Siberian Tiger. There are lots more cats out there. And if they start to run out for real, there’s always cat relatives, like, oh, Spotted Hyena, the most woke animal in Africa. (Hint: girl spotted hyenas are bigger, badder, and, umm, better equipped than guy spotted hyenas. Look it up.)

        2. O RLY

          Re: Mavericks

          Yes, Mojave has a new security patch as well released. It's been 14 hours since your message, so I suspect you've already seen it pop up in System Preferences, but if not, I hope this helps.

      3. David Glasgow

        Re: Mavericks

        For me, Papers 3 and Dragon Dictate.

    3. Tessier-Ashpool

      Re: Mavericks

      The flaw was introduced with Catalina, apparently.

  2. Version 1.0 Silver badge

    Just dis...

    Our governments are keen to stop people Driving While Black, Smoking Hash and Grass, Protesting, Making their own whisky, Voting without a picture ID, or even - in the US not voting for republicans, etc., etc., but there's nothing done to stop malware infections, spam, fake phone calls, fraud etc etc etc.

    I just got a text on my phone telling me my order had been canceled and a link to visit for the details - hack attempt deleted because nobody cares and the law supports Freedom of Hacking and Speech. Ops, pick which one was a mistake.

    1. Anonymous Coward
      Anonymous Coward

      Re: Just dis...

      This is why there should be limits on Free Speech (tm).

      And before the "haters" downvote are you sure that I am not saying that inviting someone to install malware should not be protected by the first amendment?

  3. Anonymous Coward
    Anonymous Coward

    The shell cares not if you believe in it..

    like the deep magic, it simply is. There are those who still remember it's ways, and many more who have forgotten them, the shell cares not.

    Do not blame the shell for your mortal failings, but instead, do not ask it to do what should not be done, or what cannot be done.

    If thou dost ask the shell to do what cannot be undone, do so at your peril and with caution, as all, even the shell itself, is subject to its action.

    Last, do not suffer the shell access of fools. If they cannot abide these tenets, then it is just and right that the ~ shall define their sole domain.

    1. Anonymous Coward
      Anonymous Coward

      Re: The shell cares not if you believe in it..

      The days when the shell and the account known as "root" wielded supreme power have come to a close.

      For these are the days of the System Integrity Protection and the Secure Boot. The power of the shell has faded and waned, even the almighty "root" cannot overcome it.

      Yea, even the misplaced rm -Rf / will no longer bring a system to its knees. Even the shell suffers from the mighty Gatekeeper, and not even a chmod 777 will overcome its wrath.

      /bin is now beyond the power of the shell to change, as is /sbin. The shell can see the read-only system volume hidden from GUI eyes, but it is powerless to change it.

      1. Charlie Clark Silver badge

        Re: The shell cares not if you believe in it..

        I think this exploits demonstrates that the workarounds required by these new-fangled protections always contain their own flaws…

    2. amanfromMars 1 Silver badge

      The shell cares not if you do not believe in it..but it does take care of you

      Do not blame the shell for your mortal failings, but instead, do not ask it to do what should not be done, or what cannot be done. ..... Anonymous Coward

      Because of the latest revisions to the Master Sees, AC, postmodernised versions of the Sublime Instruction Set advise humanity of the following abiding 0day exploit vulnerability and Persistent Advanced ACTive Cyber Threat and/or Treat. ...... Do not blame the shell for your mortal failings, but instead, do not ask it to do what should not be done whenever anything and everything can be done with immunity and impunity.

      It is no small change in the Great Schema of the IoT Thing.

  4. chivo243 Silver badge

    Run software update

    and forget this issue. It has been remedied. I have no sympathy for users who install crap software just because a blingy advert told them to...

  5. Grease Monkey Silver badge

    What is it with Apple stories that as soon as anybody criticises Apple there is always some commentard who will wade in with "but Microsoft..."

    This is a story about an Apple vulnerability but is seems a large section of the faithful believe only Apple and MS exist and as long as you can claim Apple are better than MS then that makes everything OK.

    I'm sure a shrink would have a field day with these people.

    1. blah@blag.com

      Potential humiliation is a great motivator.

      It's because people rationalise their past choices. If you choose wrongly (MS/Apple/Linux in this case) then that makes you look bad. We generally invest serious amounts of money and time into our choice of digital infrastructure, so if something happens so that others can point and laugh then we go down the road of "yeah but ...". Potential humiliation is a great motivator.

      I am not immune to this just like every other person on this planet but being aware of it is helpful. I try to look at Windows, MacOS & Linux as just toolboxes to be deployed as required. I prefer Linux because it gives me more choices but I use the others where it makes sense to do so.

      But all that is just a distraction. Digital Hygiene is hard enough for us technicians, how on earth are the majority non-technical people supposed to cope with all this? The answer is they won't ever, in fact it will only ever get worse.

      1. Anonymous Coward
        Anonymous Coward

        Re: Potential humiliation is a great motivator.

        This is why we trended towards MacOS for desktops. When you run a TCO assessment, you only end up with Microsoft if you omit staff time losses which adds up to a great deal more than hardware costs (although I'm still looking for decent metrics for usability, we just run scenarios).

        That said, some companies have sunk so much cost in especially customisation that they've locked themselves into a box they cannot escape from without a great deal of extra expense, especially if they don't have an open standards dictat like we have imposed on us - I don't given them much chance to change. Which, of course, was the whole point.

  6. iron Silver badge

    > "A victim detonating one of these payloads

    Pretentious fear-mongering twat.

    1. amanfromMars 1 Silver badge

      Default Condition Code Red in Wild Wacky Western Spheres of Malevolence*

      Pretentious fear-mongering twat........ iron

      It is hardly an Earth shattering exclusive identifying the ubiquitous useful idiot, iron, whenever terrestrial news media is both lock. stock and barrel infested and so heavily root invested in and plagued by such Remote Access Trojans on the sinking ships of empires past built and presently vastly failing and fast fading in the full glare and and shady shadows broadbandcast by the SMARTR Lights of Sublime Internet Networking Virtual Machinery simply pumping and dumping and pimping undeniable home-grown truths, which to deny, return again and again to destroy the doubting Thomases and Thomasinas alike, sparing none the moronic mercy of baying crowds.

      Fear, Uncertainty and Doubt, Doom and Gloom, Raging Conflict and Imminent Collapse is their Stock in Trade and Fare and Store. Tell me that isn't perfect fodder for pretentious fear-mongering twats and we will fundamentally disagree.

      Cast you eyes across and open your ears to what it has been decided to be made available for presentation to you today, and tell me it isn't true, and neither is anything in all of that so easily and clearly freely shared above.

      Tell us all here that aint no Code Red, Colonel Jessup .... and such are not akin to a crime against humanity and an act of war against innocent civilian beings in an ignorant state, for all here to disagree with you, LOUDLY AND CLEARLY again.

      And if you support Code Reds there be consequences which may or may not be very much like that shown in this brief clip spotlighting an arrogant fall from grace and assumed power ....... Jessup Is Arrested

      * ..... in Advanced IntelAIgent Eras of Greater Brainwashing Revolts.

      Be careful out there, as strange as things are, they aint like they used to be, and are definitely getting even stranger. :-) IT's practically primeval and a primitive virtual virgin jungle.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021