With macOS 13 aka Ventura, which Apple released last October, there is also a new security feature on the Mac: the so-called Background Task Manager. This should help to identify and stop problematic background processes or to inform users about them. However, this only works half as well as the well-known security researcher Patrick Wardle demonstrated at the Defcon security conference in Las Vegas hat.
At least three exploits found
The anti-malware tool is “trivially” easy to circumvent, although it is intended to help identify persistent data corruption. It’s good that Apple finally added such a feature. “But the implementation is so bad that almost any slightly more intelligent malware can bypass the monitoring,” Wardle told Wired magazine. First of all, when the Background Task Manager was introduced, there was the problem that there were no or insufficient notifications. According to Wardle, this has now been fixed.
However, this did not solve the fundamental problem. Wardle has now found at least three different methods of circumventing the monitoring – one of them requires root access, but could help attackers to install even more problematic background processes without users noticing.
Kein Responsible Disclosure
The two exploits that do not require root are smarter: one uses a bug related to communication with the macOS kernel, the other puts processes that are responsible for background task monitoring to sleep – although this is not actually the case for such system-related processes should go.
Wardle didn’t use the usual responsible disclosure when publishing the bugs, so he didn’t give Apple an upfront warning. The reason: He had previously informed the group about possible points of attack (and the fundamental problems) of the background task manager. What’s more, previous macOS versions didn’t have background process monitoring at all. It is unclear how Apple will react now – Wardle does not know whether the fundamental problems can be solved either.
To home page
#Security #feature #Ventura #Background #Task #Manager #insufficient #protection