We can't find the internet
Attempting to reconnect
Something went wrong!
Hang in there while we get back on track
macOS Vulnerabilities Hiding in Plain Sight
macOS vulnerabilities hiding in plain sight: Uncover the surprising ways malware can exploit system services, files, and directories to elevate privileges and compromise your Mac.
- Disk Arbitration is a macOS service for managing disk mounting and unmounting, used to prevent attacks.
- Malware can use Symlinks to mount a disk image over a privileged directory, allowing exploitation of a sandboxed process.
- CV 2021/18/15 allows an attacker to create an arbitrary file in a protected directory, permitting privilege escalation.
- Disk Arbitration has two SQLite databases, one for application management and another for system-wide preference management.
- Apple’s private entitlement for feedback assistance allowed it to invoke sys diagnose utility, leading to a privilege escalation vulnerability.
- TCC Oday, used in macOS code signing, is not commonly used in malware, except in CV 2021/18/15.
- Sandbox applications can execute code in memory, using audit tokens for verification.
- Preference management can be exploited for privilege escalation using a race condition.
- macOS did not verify code signing properties of running processes, potentially leading to security issues.
- Fake Zoom applications can be created using arbitrary directories and entitlements, allowing exploit of macOS privacy mechanisms.
- Mfi checks for in-memory integrity can be bypassed by changing ownership of arbitrary directories to the user.
- System-wide privilege escalation can occur by mounting over the /private/tmp directory.