macOS

Apple lets some Big Sur network traffic bypass firewalls

A somewhat cartoonish diagram illustrates issues with a firewall.

Patrick Wardle

Firewalls aren’t just for corporate networks. Large numbers of security- or privacy-conscious people also use them to filter or redirect traffic flowing in and out of their computers. Apple recently made a major change to macOS that frustrates these efforts.

Beginning with macOS Catalina released last year, Apple added a list of 50 Apple-specific apps and processes that were to be exempted from firewalls like Little Snitch and Lulu. The undocumented exemption, which didn’t take effect until firewalls were rewritten to implement changes in Big Sur, first came to light in October. Patrick Wardle, a security researcher at Mac and iOS enterprise developer Jamf, further documented the new behavior over the weekend.

“100% blind”

To demonstrate the risks that come with this move, Wardle—a former hacker for the NSA—demonstrated how malware developers could exploit the change to make an end-run around a tried-and-true security measure. He set Lulu and Little Snitch to block all outgoing traffic on a Mac running Big Sur and then ran a small programming script that had exploit code interact with one of the apps that Apple exempted. The python script had no trouble reaching a command and control server he set up to simulate one commonly used by malware to exfiltrate sensitive data.

“It kindly asked (coerced?) one of the trusted Apple items to generate network traffic to an attacker-controlled server and could (ab)use this to exfiltrate files,” Wardle, referring to the script, told me. “Basically, ‘Hey, Mr. Apple Item, can you please send this file to Patrick’s remote server?’ And it would kindly agree. And since the traffic was coming from the trusted item, it would never be routed through the firewall… meaning the firewall is 100% blind.”

Wardle tweeted a portion of a bug report he submitted to Apple during the Big Sur beta phase. It specifically warns that “essential security tools such as firewalls are ineffective” under the change.

Apple has yet to explain the reason behind the change. Firewall misconfigurations are often the source of software not working properly. One possibility is that Apple implemented the move to reduce the number of support requests it receives and make the Mac experience better for people not schooled in setting up effective firewall rules. It’s not unusual for firewalls to exempt their own traffic. Apple may be applying the same rationale.

But the inability to override the settings violates a core tenet that people ought to be able to selectively restrict traffic flowing from their own computers. In the event that a Mac does become infected, the change also gives hackers a way to bypass what for many is an effective mitigation against such attacks.

“The issue I see is that it opens the door for doing exactly what Patrick demoed… malware authors can use this to sneak data around a firewall,” Thomas Reed, director of Mac and mobile offerings at security firm Malwarebytes, said. “Plus, there’s always the potential that someone may have a legitimate need to block some Apple traffic for some reason, but this takes away that ability without using some kind of hardware network filter outside the Mac.”

People who want to know what apps and processes are exempt can open the macOS terminal and enter sudo defaults read /System/Library/Frameworks/NetworkExtension.framework/Resources/Info.plist ContentFilterExclusionList.

NKEs

The change came as Apple deprecated macOS kernel extensions, which software developers used to make apps interact directly with the OS. The deprecation included NKEs—short for network kernel extensions—that third-party firewall products used to monitor incoming and outgoing traffic.

In place of NKEs, Apple introduced a new user-mode framework called the Network Extension Framework. To run on Big Sur, all third-party firewalls that used NKEs had to be rewritten to use the new framework.

Apple representatives didn’t respond to emailed questions about this change. This post will be updated if they respond later. In the meantime, people who want to override this new exemption will have to find alternatives. As Reed noted above, one option is to rely on a network filter that runs from outside their Mac. Another possibility is to rely on PF, or Packet Filter firewall built into macOS.

Microsoft is adding Linux, Android, and firmware protections to Windows

Screenshot of antivirus protection.

Microsoft is moving forward with its promise to extend enterprise security protections to non-Windows platforms with the general release of a Linux version and a preview of one for Android. The software maker is also beefing up Windows security protections to scan for malicious firmware.

The Linux and Android moves—detailed in posts published on Tuesday here, here, and here—follow a move last year to ship antivirus protections to macOS. Microsoft disclosed the firmware feature last week.

Premium pricing

All the new protections are available to users of Microsoft Advanced Threat Protection and require Windows 10 Enterprise Edition. Public pricing from Microsoft is either non-existent or difficult to find, but according to this site, costs range from $30 to $72 per machine per year to enterprise customers.

In February, when the Linux preview became available, Microsoft said it included antivirus alerts and “preventive capabilities.” Using a command line, admins can manage user machines, initiate and configure antivirus scans, monitor network events, and manage various threats.

“We are just at the beginning of our Linux journey and we are not stopping here!” Tuesday’s post announcing the Linux general availability said. “We are committed to continuous expansion of our capabilities for Linux and will be bringing you enhancements in the coming months.”

The Android preview, meanwhile, provides several protections, including:

  • The blocking of phishing sites and other high-risk domains and URLs accessed through SMS/text, WhatsApp, email, browsers, and other apps. The features use the same Microsoft Defender SmartScreen services that are already available for Windows so that decisions to block suspicious sites will apply across all devices on a network.
  • Proactive scanning for malicious or potentially unwanted applications and files that may be downloaded to a mobile device.
  • Measures to block access to network resources when devices show signs of being compromised with malicious apps or malware.
  • Integration to the same Microsoft Defender Security Center that’s already available for Windows, macOS, and Linux.

Last week, Microsoft said it had added firmware protection to the premium Microsoft Defender. The new offering scans Unified Extensible Firmware Interface, which is the successor to the traditional BIOS that most computers used during the boot process to locate and enumerate hardware installed.

The firmware scanner uses a new component added to virus protection already built into Defender. Hacks that infect firmware are particularly pernicious because they survive reinstallations of the operating system and other security measures. And because firmware runs before Windows starts, it has the ability to burrow deep into an infected system. Until now, there have been only limited ways to detect such attacks on large fleets of machines.

It makes sense that the extensions to non-Windows platforms are available only to enterprises and cost extra. I was surprised, however, that Microsoft is charging a premium for the firmware protection and only offering it to enterprises. Plenty of journalists, attorneys, and activists are equally if not more threatened by so-called evil maid attacks, in which a housekeeper or other stranger has the ability to tamper with firmware during brief physical access to a computer.

Microsoft has a strong financial incentive to make Windows secure for all users. Company representatives didn’t respond to an email asking if the firmware scanner will become more widely available.

Apple releases macOS Catalina 10.15.2, iOS, and iPadOS 13.3

The 2019 16-inch MacBook Pro with the lid closed

Enlarge / The 2019 16-inch MacBook Pro.
Samuel Axon

As has become a custom, Apple has simultaneously released software updates for nearly its entire suite of consumer products today—including iOS 13.3, iPadOS 13.3, macOS Catalina 10.15.2, watchOS 6.1.1, tvOS 13.3—and an update for HomePods. All updates should be available to all users by the end of the day.

iOS 13.3 and iPadOS 13.3 together make for arguably the most notable update. They introduce yet another feature that was originally pitched by Apple as part of iOS 13 but was delayed before that annual update’s release this September: Communication Limits in ScreenTime. Parents can now whitelist contacts for their kids’ accounts, which allows them to block their kids from communicating with anyone outside the list on Apple-made apps like Messages and FaceTime, with exceptions for emergency calls and services like 911.

These two updates also introduce new layouts for certain publications in Apple News+, adds a new interface for liking or disliking stories in News, and expands on the news options and coverage in the Stocks app.

macOS Catalina 10.15.2 gets most of these same News and Stocks features, plus the restoration of the column browser view in Apple Music and the addition of Apple Remote app support for the Music and TV apps on Macs.

Additionally, tvOS 13.3 is a somewhat notable update for recent Apple TV streaming boxes. It includes a slight homescreen redesign for video previews as well as a change to the top shelf of content visible on that screen. Whereas it previously showed you the next items in your TV app queue while that app was selected, it will now recommend new content there by displaying trailers and previews. However, an option has been adding to settings to let you switch back to the old way.

Today’s HomePod update improves voice recognition for family members and “allows individual family members to enable/disable personal requests.” watchOS 6.1.1 is a minor update that contains unspecified bug fixes and optimizations. Apple also released a security update for watchOS 5 for users who do not have an iPhone capable of running iOS 13, as watchOS 6 requires the latest iPhone software.

All of the updates today also have a plethora of bug fixes and security updates for their respective platforms, which you can find in Apple’s release notes below.

iOS and iPadOS 13.3 release notes

iOS 13.3 includes improvements, bug fixes, and additional parental controls for Screen Time.

Screen Time

  • New parental controls provide more communication limits over who their children can call, FaceTime, or Message
  • Contact list for children lets parents manage the contacts that appear on their children’s devices

Apple News

  • New layout for Apple News+ stories from The Wall Street Journal and other leading newspapers
  • Easily like or dislike stories with a tap

Stocks

  • Stories from Apple News are now available in Canada in English and French
  • Continue reading with links to related stories or more stories from the same publication
  • Breaking and Developing labels for Top Stories

This update also includes bug fixes and other improvements. This update:

  • Enables the creation of a new video clip when trimming a video in Photos
  • Adds support for NFC, USB, and Lightning FIDO2-compliant security keys in Safari
  • Fixes issues in Mail that may prevent downloading new messages
  • Addresses an issue that prevented deleting messages in Gmail accounts
  • Resolves issues that could cause incorrect characters to display in messages and duplication of sent messages in Exchange accounts
  • Fixes an issue where the cursor may not move after long-pressing on the space bar
  • Addresses an issue that may cause screenshots to appear blurry when sent via Messages
  • Resolves an issue where cropping or using Markup on screenshots may not save to Photos
  • Fixes an issue where Voice Memos recordings may not be able to be shared with other audio apps
  • Addresses an issue where the missed call badge on the Phone app may not clear
  • Resolves an issue where the Cellular Data setting may incorrectly show as off
  • Fixes an issue that prevented turning off Dark Mode when Smart Invert was enabled
  • Addresses an issue where some wireless chargers may charge more slowly than expected

Newly discovered Mac malware uses “fileless” technique to remain stealthy

Newly discovered Mac malware uses “fileless” technique to remain stealthy

Hackers believed to be working for the North Korean government have upped their game with a recently discovered Mac trojan that uses in-memory execution to remain stealthy.

In-memory execution, also known as fileless infection, never writes anything to a computer hard drive. Instead, it loads malicious code directly into memory and executes it from there. The technique is an effective way to evade antivirus protection because there’s no file to be analyzed or flagged as suspicious.

In-memory infections were once the sole province of state-sponsored attackers. By 2017, more advanced financially motivated hackers had adopted the technique. It has become increasingly common since then.

The malware isn’t entirely fileless. The first stage poses as a cryptocurrency app with the file name UnionCryptoTrader.dmg. When it first came to light earlier this week, only two out of 57 antivirus products detected it as suspicious. On Friday, according to VirusTotal, detection had only modestly improved, with 17 of 57 products flagging it.

Once executed, the file uses a post-installation binary that, according to a detailed analysis by Patrick Wardle, a Mac security expert at enterprise Mac software provider Jamf, can do the following:

  • move a hidden plist (.vip.unioncrypto.plist) from the application’s Resources directory into /Library/LaunchDaemons
  • set it to be owned by root
  • create a /Library/UnionCrypto directory
  • move a hidden binary (.unioncryptoupdater) from the application’s Resources directory into /Library/UnionCrypto/
  • set it to be executable
  • execute this binary (/Library/UnionCrypto/unioncryptoupdater)

The result is a malicious binary named unioncryptoupdated that runs as root and has “persistence,” meaning it survives reboots to ensure it runs constantly.

Wardle said that the installation of a launch daemon whose plist and binary are stored hidden in an application’s resource directory is a technique that matches Lazarus, the name many researchers and intelligence officers use for a North Korean hacking group. Another piece of Mac malware, dubbed AppleJeus, did the same thing.

Another trait that’s consistent with North Korean involvement is the interest in cryptocurrencies. As the US Department of Treasury reported in September, industry groups have unearthed evidence that North Korean hackers have siphoned hundreds of millions of dollars’ worth of cryptocurrencies from exchanges in an attempt to fund the country’s nuclear weapons development programs.

Begin in-memory infection

It is around this point in the infection chain that the fileless execution starts. The infected Mac begins contacting a server at hxxps://unioncrypto[.]vip/update to check for a second-stage payload. If one is available, the malware downloads and decrypts it and then uses macOS programming interfaces to create what’s known as an object file image. The image allows the malicious payload to run in memory without ever touching the hard drive of the infected Mac.

“As the layout of an in-memory process image is different from its on disk-in image, one cannot simply copy a file into memory and directly execute it,” Wardle wrote. “Instead, one must invoke APIs such as NSCreateObjectFileImageFromMemory and NSLinkModule (which take care of preparing the in-memory mapping and linking).”

Wardle was unable to obtain a copy of the second-stage payload, so it’s not clear what it does. Given the theme of cryptocurrency in the file and domain names—and North Korean hackers’ preoccupation with stealing digital coin—it’s a decent bet the follow-on infection is used to access wallets or similar assets.

When Wardle analyzed the malware earlier this week, the control server at hxxps://unioncrypto[.]vip/ was still online, but it was responding with a 0, which signaled to infected computers that no additional payload was available. By Friday, the domain was no longer responding to pings.

Patrick Wardle

While fileless infections are a further indication that Lazarus is growing increasingly more adept at developing stealthy malware, AppleJeus.c, as Wardle has dubbed the recently discovered malware, is still easy for alert users to detect. That’s because it’s not signed by an Apple-trusted developer, a shortcoming that causes macOS to display the warning to the right.

As is typical when applications are installed, macOS also requires users to enter their Mac password. This isn’t automatically a tip-off that something suspicious is happening, but it does prevent the first stage from being installed through drive-bys or other surreptitious methods.

It’s unlikely anyone outside of a cryptocurrency exchange would be targeted by this malware. Those who want to check can look for the existence of (1) /Library/LaunchDaemons/vip.unioncrypto.plist and (2) the running process or binary /Library/UnionCrypto/unioncryptoupdater.

Silent Mac update nukes dangerous webserver installed by Zoom

Pedestrians use crosswalk in large metropolis.

Apple said it has pushed a silent macOS update that removes the undocumented webserver that was installed by the Zoom conferencing app for Mac.

The webserver accepts connections from any device connected to the same local network, a security researcher disclosed on Monday. The server continues to run even when a Mac user uninstalls Zoom. The researcher showed how the webserver can be abused by people on the same network to force Macs to reinstall the conferencing app. Zoom issued an emergency patch on Tuesday in response to blistering criticism from security researchers and end users.

Apple on Wednesday issued an update of its own, a company representative speaking on background told Ars. The update ensures the webserver is removed—even if users have uninstalled Zoom or haven’t installed Tuesday’s update. Apple delivered the silent update automatically, meaning there was no notification or action required of end users. The update was first reported by TechCrunch.

Apple’s update causes Zoom users who click on a conference link to receive a prompt requiring them to confirm they want to join. Previously, clicking on a link—or even encountering a link hidden in a malicious website—automatically opened Zoom and put them into the conference. Zoom developers came under criticism for this behavior as well, because it had the potential to catch users off-guard and expose them to hackers.

Apple occasionally issues silent updates to block malware that’s actively circulating on the Internet. It’s less common for the company to issue silent updates that block or remove something installed by an app users installed by choice. The Apple representative said the company took this action to protect users against risks posed by the webserver. The Zoom app is installed on about 4 million Macs, researcher Jonathan Leitschuh estimated.

Representatives from Zoom didn’t respond to an email seeking comment for this post.

The clever cryptography behind Apple’s “Find My” feature

The 2018 15-inch Apple MacBook Pro with Touch Bar.

Enlarge / The 2018 15-inch Apple MacBook Pro with Touch Bar.
Samuel Axon

When Apple executive Craig Federighi described a new location-tracking feature for Apple devices at the company’s Worldwide Developer Conference keynote on Monday, it sounded—to the sufficiently paranoid, at least—like both a physical security innovation and a potential privacy disaster. But while security experts immediately wondered whether Find My would also offer a new opportunity to track unwitting users, Apple says it built the feature on a unique encryption system carefully designed to prevent exactly that sort of tracking—even by Apple itself.

In upcoming versions of iOS and macOS, the new Find My feature will broadcast Bluetooth signals from Apple devices even when they’re offline, allowing nearby Apple devices to relay their location to the cloud. That should help you locate your stolen laptop even when it’s sleeping in a thief’s bag. And it turns out that Apple’s elaborate encryption scheme is also designed not only to prevent interlopers from identifying or tracking an iDevice from its Bluetooth signal, but also to keep Apple itself from learning device locations, even as it allows you to pinpoint yours.

“Now what’s amazing is that this whole interaction is end-to-end encrypted and anonymous,” Federighi said at the WWDC keynote. “It uses just tiny bits of data that piggyback on existing network traffic so there’s no need to worry about your battery life, your data usage, or your privacy.”

In a background phone call with WIRED following its keynote, Apple broke down that privacy element, explaining how its “encrypted and anonymous” system avoids leaking your location data willy nilly, even as your devices broadcast a Bluetooth signal explicitly designed to let you track your device. The solution to that paradox, it turns out, is a trick that requires you to own at least two Apple devices. Each one emits a constantly changing key that nearby Apple devices use to encrypt and upload your geolocation data, such that only the other Apple device you own possesses the key to decrypt those locations.

That system would obviate the threat of marketers or other snoops tracking Apple device Bluetooth signals, allowing them to build their own histories of every user’s location. “If Apple did things right, and there are a lot of ifs here, it sounds like this could be done in a private way,” says Matthew Green, a cryptographer at Johns Hopkins University. “Even if I tracked you walking around, I wouldn’t be able to recognize you were the same person from one hour to the next.”

In fact, Find My’s cryptography goes one step further than that, denying even Apple itself the ability to learn a user’s locations based on their Bluetooth beacons. That would represent a privacy improvement over Apple’s older tools like Find My iPhone and Find Friends, which don’t offer such safeguards against Apple learning your location.

Here’s how the new system works, as Apple describes it, step by step:

  • When you first set up Find My on your Apple devices—and Apple confirmed you do need at least two devices for this feature to work—it generates an unguessable private key that’s shared on all those devices via end-to-end encrypted communication so that only those machines possess the key.
  • Each device also generates a public key. As in other public key encryption setups, this public key can be used to encrypt data such that no one can decrypt it without the corresponding private key, in this case the one stored on all your Apple devices. This is the “beacon” that your devices will broadcast out via Bluetooth to nearby devices.
  • That public key frequently changes, “rotating” periodically to a new number. Thanks to some mathematical magic, that new number doesn’t correlate with previous versions of the public key, but it still retains its ability to encrypt data such that only your devices can decrypt it. Apple refused to say just how often the key rotates. But every time it does, the change makes it that much harder for anyone to use your Bluetooth beacons to track your movements.
  • Say someone steals your MacBook. Even if the thief carries it around closed and disconnected from the internet, your laptop will emit its rotating public key via Bluetooth. A nearby stranger’s iPhone, with no interaction from its owner, will pick up the signal, check its own location, and encrypt that location data using the public key it picked up from the laptop. The public key doesn’t contain any identifying information, and since it frequently rotates, the stranger’s iPhone can’t link the laptop to its prior locations, either.
  • The stranger’s iPhone then uploads two things to Apple’s server: the encrypted location, and a hash of the laptop’s public key, which will serve as an identifier. Since Apple doesn’t have the private key, it can’t decrypt the location.
  • When you want to find your stolen laptop, you turn to your second Apple device—let’s say an iPad—which contains both the same private key as the laptop and has generated the same series of rotating public keys. When you tap a button to find your laptop, the iPad uploads the same hash of the public key to Apple as an identifier so that Apple can search through its millions upon millions of stored encrypted locations and find the matching hash. One complicating factor is that iPad’s hash of the public key won’t be the same as the one from your stolen laptop, since the public key has likely rotated many times since the stranger’s iPhone picked it up. Apple didn’t quite explain how this works. But Johns Hopkins’ Green points out that the iPad could upload a series of hashes of all its previous public keys so that Apple could sort through them to pull out the previous location where the laptop was spotted.
  • Apple returns the encrypted location of the laptop to your iPad, which can use its private key to decrypt it and tell you the laptop’s last known location. Meanwhile, Apple has never seen the decrypted location, and since hashing functions are designed to be irreversible, it can’t even use the hashed public keys to collect any information about where the device has been.

As staggeringly complex as that might sound, Apple warns that it’s still a somewhat simplified version of the Find My protocol, and that the system is still subject to change before it’s actually released in MacOS Catalina and iOS 13 later this year. The true security of the system will depend on the details of its implementation, warns Johns Hopkins’ Green. But he also says that if it works as Apple described to Wired, it might indeed offer all the privacy guarantees Apple has promised.

“I give them nine out of 10 chance of getting it right,” Green says. “I have not seen anyone actually deploy anything like this to a billion people. The actual techniques are pretty well known in the scientific sense. But actually implementing this will be pretty impressive.”

This story originally appeared on wired.com.