Archive for May 9, 2024

Thursday, May 9, 2024

Apple Platform Security Guide (May 2024)

Apple (PDF, via Ivan Krstić):

Unless otherwise noted, this documentation covers the following operating system versions: iOS 17.3, iPadOS 17.3, macOS 14.3, tvOS 17.3, and watchOS 10.3.


Topics added:

I thought I must have missed last year’s update, but it looks like the previous revision was in December 2022.


Certain instructions on ARM64, including but not limited to those described in Arm Architecture Registers for Future Architecture Technologies, may take a different amount of time to run depending on the data values on which they operate. Malicious code running on the device might use this property to infer information about the data the CPU processes, such as cryptographic keys, or other sensitive data.

Apple silicon provides data-independent timing (DIT), in which the processor completes certain instructions in a constant amount of time. With DIT enabled, the processor uses the longer, worst-case amount of time to complete the instruction, regardless of the input data. When you write software specifically to avoid leaking internal information and to run code in constant time, enabling DIT — and restricting your code to instructions that support DIT — before loading cryptographic key material, performing cryptographic operations, or processing sensitive data ensures the timing of specific instructions doesn’t reveal information about the data being processed.


Should malware make its way onto a Mac, XProtect also includes technology to remediate infections. For example, it includes an engine that remediates infections based on updates automatically delivered from Apple (as part of automatic updates of system data files and security updates). This system removes malware upon receiving updated information, and it continues to periodically check for infections; however, XProtect doesn’t automatically restart the Mac. In addition, XProtect contains an advanced engine to detect unknown malware based on behavioral analysis. Information about malware detected by this engine, including what software was ultimately responsible for downloading it, is used to improve XProtect signatures and macOS security.

Via tsunekoh:

The latest Apple Platform Security documentation includes a description of XProtectBehaviorService.

Phil Stokes:

So Apple…what they don’t say there is that this behavior “service” just logs “information” back to Apple, doesn’t report what it finds to the user (so no investigation, triage or root cause analysis) nor does it actually block or remediate anything.


Update (2024-05-10): Howard Oakley:

On the other hand, XProtectRemediator “continues to periodically check for infections” in background scans run every 24 hours or so. When it detects what it considers to be malicious software, it automatically tries to remove or ‘remediate’ it without informing the user, and “doesnʼt automatically reboot the Mac.”

This was made clearer with the recent release of XProtect Remediator version 132, which took a dislike to some of the optional components in Xcode. A recent amendment to Apple’s release notes for Xcode 15.3 makes it clear that XProtect Remediator’s false positive did change Xcode without informing the user in any way. The only indication that a remediation was taking place was an authentication dialog for the change to be made to the Xcode app, and there was no indication given to the user that this was part of any malware remediation.

Update (2024-05-15): Gui Rambo:

It looks like iPadOS running on M4 has a “Secure Exclave” running an “ExclaveOS” 👀 Where’s the updated Apple platform security PDF? 😅

Cuckoo Malware

Adam Kohler and Christopher Lopez:

The downloaded DMG contains an application bundle. Normally, macOS applications instruct the user to drag such apps into the /Applications folder. But in this case, it tells the user to right-click on it and click Open.


Looking into the upd file in the original bundle, we found that it is signed adhoc with no developer ID. This means that Gatekeeper will initially stop the app from running and require the user to manually allow it.


The application then creates a new copy of upd, renames it DumpMediaSpotifyMusicConverter, and places it in a hidden folder in the /Users directory. This is why it sometimes appears as upd and other times as DumpMediaSpotifyMusicConverter. The original upd will then use xattr -d to remove the quarantine flag from itself and from the copy of DumpMediaSpotifyMusicConverter.


From here, upd uses osascript to ask the user for their password using the prompt “macOS needs to access System Settings.”

It sends data and even screen captures back to a server, muting the volume so the user doesn’t know a screenshot was being taken.

Root Privilege Escalation via diskutil


A new local privilege escalation vulnerability has been discovered in macOS which could allow any user to escalate their privileges to root by mounting filesystems using “diskutil” command line utility. This new vulnerability has been assigned with CVE-2023-42931 and the severity is yet to be categorized.


If a user has mount privileges on the macOS, then the user needs to find a file which has the following conditions.

  • Owned by root when mounted in “owners” mode;
  • Considered owned by myself when mounted in “noowners” mode;
  • Not protected by SIP.


After creating this suidshell binary, the next step would be to mount the targeted filesystem with the “noowners“ flag. Then the researcher proceeded to make the “.file” writable and copy the suidshell binary into the “.file”.

Apple fixed this late last year.


Why In-App Purchases Don’t Work for the Enterprise

Caleb Basinger:

We don’t buy apps through the App Store. Rather, we purchase licenses in bulk—one for every employee or device—through Apple’s Apps and Books program, part of Apple Business Manager and Apple School Manager.


The only problem is that Apps and Books doesn’t support in-app purchases or in-app subscriptions. That means we can’t access the features we need with the licenses we buy that way.


Without altering your existing app on the App Store, you could use the same code-base to create a second, fully paid premium version of it that includes all the features we need. You could add this premium version to the App Store alongside the one you sell now that has in-app purchases. This would make your app available to us to purchase in the Apps and Books store in large quantities.


If you’re concerned about potentially confusing buyers by having two similar apps on the App Store with different purchase models, there is another way: Using the same development and App Store process, you could make a custom app available only to specific organizations within the Apps and Books program.

Via Luc Vandal:

It’s kinda odd that on one end Apple is pushing devs to move to a subscription model but on the other end, that model is incompatible with Apple Business Management so schools or businesses cannot purchase your app unless you create a “pro” or custom version, which is just another thing to worry about.

It’s like one hand doesn’t talk to the other at Apple.

At the same time, it’s not that surprising when you see how much the MAS lacks compared to its iOS counterpart.

I sometimes get requests from businesses or schools but I already have 3 binaries to worry about (Mac, iOS, visionOS). Having 6 would be a lot of additional work and I just can’t imagine getting rejected and having to deal with all this.

Craig Hockenberry:

Volume licenses are one of the main reasons we have a download of xScope on our website in addition to the Mac App Store.

But, of course, that’s not possible with iOS apps.

Yannik Bloscheck:

Without Apple Business Essentials, which even now after many years after its original release is still only available in the US, companies still can't even increase the default 5 GB iCloud storage for their managed Apple IDs. So Apple is even really hurting their own direct services revenue with all of this, but despite that they still haven't come around to improving it.