Remote Mac hack relies on MDM bug Apple patched in latest macOS update

Posted:
in macOS
Researchers at the Black Hat security conference at Las Vegas intend to demonstrate an exploit in Apple's enterprise tools that lets well-equipped hackers compromise a Mac the first time it connects to Wi-Fi, though the bug has already been patched in the latest macOS High Sierra update.

2018 MacBook Pro


As reported by Wired, Jesse Endahl, chief security officer at Mac management company Fleetsmith, and Dropbox staff engineer Max Blanger uncovered a bug in Apple's enterprise hardware management setup tools that can be used to gain remote access to a target Mac. The pair plan to demonstrate the exploit on Thursday.

Notably, hackers can -- with some difficulty -- construct a man-in-the-middle attack that downloads malware or other malicious software before a client logs in to a new Mac for the first time.

Apple's enterprise tools, the Device Enrollment Program and Mobile Device Management platform, work in tandem to provide an easy IT setup regimen for companies deploying a large number of devices to their workers.

With the help of firms like Fleetsmith, companies that take part in MDM programs can send employees new hardware directly from Apple. When an employee opens and logs in to their new Mac for the first time, it connects to Apple's servers, as well as those run by the MDM vendor, to retrieve a configuration manifest.

The Mac skips from server to server to pick up the assets provisioned to complete an automated setup process, one that ultimately results in a custom configured machine ready for integration with the MDM customer's infrastructure. Endahl and Blanger discovered a problem with Apple's certificate pinning, which authenticates web servers throughout the configuration process.

In particular, the researchers found a bug in Apple's MDM sequence that, when the process hands the machine over to the Mac App Store, fails to complete pinning to confirm the authenticity of an app download manifest, the report said. The hole provides an opportunity for hackers to install malicious code on a target Mac remotely and without alerting the end user.

"We found a bug that allows us to compromise the device and install malicious software before the user is ever even logged in for the very first time," Endahl says. "By the time they're logging in, by the time they see the desktop, the computer is already compromised."

While technically possible, would be hackers would need access to the right tools and privileges to make such an attack is feasible. For instance, Endahl was only able to demonstrate the vulnerability by using Fleetsmith's MDM privileges to set up a certified server and tainted payload. That said, a dedicated hacker -- or motivated government -- might be compelled to attempt the attack as it presents potential access to a corporation's entire network of managed Macs.

"One of the aspects that's scary about this is if you're able to set this up at the company level you could infect everybody depending on where you do the man-in-the-middle," Blanger said. "This all happens very early in the device's setup, so there aren't really restrictions on what those setup components can do. They have full power, so they're at risk of being compromised in a pretty special way."

Apple was notified of the exploit and issued a fix in the latest macOS High Sierra 10.13.6 update released last month, though users are still vulnerable. As noted by Wired, though the bug was addressed a month ago, there are likely many Macs that remain in channel inventory running older, un-patched versions of the operating system. Further, MDM firms processing Mac deployments also need to support the latest macOS 10.13.6 release to counter the exploit, according to Endahl and Blanger.

Comments

  • Reply 1 of 11
    MacProMacPro Posts: 19,822member
    Removed question ... Didn't read correctly ... need more coffee ...
    edited August 2018
  • Reply 2 of 11
    lkrupplkrupp Posts: 10,557member
    Listen up all you users who refuse to update for various, usually irrational, reasons. Keep your damn systems up to date. The Apple discussion forums are full of posts from users wanting to roll back updates because something happened and they don’t want to troubleshoot the issue. “I just updated to macOS 10.13.6 and my printer stopped working. How do I go back to 10.13.4?” Or, “I updated to 10.13.6 and this third party game I downloaded six years ago doesn’t work anymore. How do I go back to plain old Sierra?”

    Well, you get the drift. 
    Rayz2016
  • Reply 3 of 11
    lkrupp said:
    Listen up all you users who refuse to update for various, usually irrational, reasons. Keep your damn systems up to date. The Apple discussion forums are full of posts from users wanting to roll back updates because something happened and they don’t want to troubleshoot the issue. “I just updated to macOS 10.13.6 and my printer stopped working. How do I go back to 10.13.4?” Or, “I updated to 10.13.6 and this third party game I downloaded six years ago doesn’t work anymore. How do I go back to plain old Sierra?”

    Well, you get the drift. 
    Yes. Spend your money on new hardware and replace something that has been working for long time. Do you actually work in Apple marketting department? You sound like you do.
    Apple has bad approach and low quality testing and coding these days and that is fact I found out from buddy who just left their development team in Mac in Cupertino. We are from the same region in finance (NYC). You cannot afford to be that arrogant to business users in our area. That is why Apple is niche in it. You do test and support working sytuff or you are gone in no time.Updates and upgrades are rolled out in proper waves and timing - vendor can do this at any time but when something brakes they are "Johnny-on-thespot" and fix overnight or else. I know what was doen in Goldman Saxchs at the time an trust me even Microsoft had to bend and listen.
    thedarkhalfdysamoria
  • Reply 4 of 11
    lkrupp said:
    Listen up all you users who refuse to update for various, usually irrational, reasons. Keep your damn systems up to date. The Apple discussion forums are full of posts from users wanting to roll back updates because something happened and they don’t want to troubleshoot the issue. “I just updated to macOS 10.13.6 and my printer stopped working. How do I go back to 10.13.4?” Or, “I updated to 10.13.6 and this third party game I downloaded six years ago doesn’t work anymore. How do I go back to plain old Sierra?”

    Well, you get the drift. 
    Yes. Spend your money on new hardware and replace something that has been working for long time. Do you actually work in Apple marketting department? You sound like you do.
    Apple has bad approach and low quality testing and coding these days and that is fact I found out from buddy who just left their development team in Mac in Cupertino. We are from the same region in finance (NYC). You cannot afford to be that arrogant to business users in our area. That is why Apple is niche in it. You do test and support working sytuff or you are gone in no time.Updates and upgrades are rolled out in proper waves and timing - vendor can do this at any time but when something brakes they are "Johnny-on-thespot" and fix overnight or else. I know what was doen in Goldman Saxchs at the time an trust me even Microsoft had to bend and listen.
    This!! To expect that every user should just upgrade "...just cause" is ignorant to so many factors, especially in the business world.
    dysamoria
  • Reply 5 of 11
    lkrupplkrupp Posts: 10,557member
    lkrupp said:
    Listen up all you users who refuse to update for various, usually irrational, reasons. Keep your damn systems up to date. The Apple discussion forums are full of posts from users wanting to roll back updates because something happened and they don’t want to troubleshoot the issue. “I just updated to macOS 10.13.6 and my printer stopped working. How do I go back to 10.13.4?” Or, “I updated to 10.13.6 and this third party game I downloaded six years ago doesn’t work anymore. How do I go back to plain old Sierra?”

    Well, you get the drift. 
    Yes. Spend your money on new hardware and replace something that has been working for long time. Do you actually work in Apple marketting department? You sound like you do.
    Apple has bad approach and low quality testing and coding these days and that is fact I found out from buddy who just left their development team in Mac in Cupertino. We are from the same region in finance (NYC). You cannot afford to be that arrogant to business users in our area. That is why Apple is niche in it. You do test and support working sytuff or you are gone in no time.Updates and upgrades are rolled out in proper waves and timing - vendor can do this at any time but when something brakes they are "Johnny-on-thespot" and fix overnight or else. I know what was doen in Goldman Saxchs at the time an trust me even Microsoft had to bend and listen.
    I’m talking about macOS and security. Every single word you typed is raging, blathering idiocy, a sure sign of being an Apple hater who makes things up on the spot.  Your OPINION about Apple’s quality is laughable, literally laughable. 
  • Reply 6 of 11
    dysamoriadysamoria Posts: 3,430member
    Chill out. They're right. When Apple abandons older systems, like my MacBook Pro 5,5, there's NO OPTION to update the OS to patch this vulnerability. The only option is to throw it away (or never use it on anyone else's network, in this case) and buy a new one with the latest version.

    People who slam others with "always use the latest version for security reasons" generally don't have any concept of what others do with their systems, need from their systems, and can afford. Your absolutist position is NOT reasonable.
  • Reply 7 of 11
    dysamoriadysamoria Posts: 3,430member
    Also, typo in article:

    "...hackers would need access to the right tools and privileges to make such an attack is feasible."

    Remove "is".
  • Reply 8 of 11
    IreneWIreneW Posts: 306member
    lkrupp said:
    lkrupp said:
    Listen up all you users who refuse to update for various, usually irrational, reasons. Keep your damn systems up to date. The Apple discussion forums are full of posts from users wanting to roll back updates because something happened and they don’t want to troubleshoot the issue. “I just updated to macOS 10.13.6 and my printer stopped working. How do I go back to 10.13.4?” Or, “I updated to 10.13.6 and this third party game I downloaded six years ago doesn’t work anymore. How do I go back to plain old Sierra?”

    Well, you get the drift. 
    Yes. Spend your money on new hardware and replace something that has been working for long time. Do you actually work in Apple marketting department? You sound like you do.
    Apple has bad approach and low quality testing and coding these days and that is fact I found out from buddy who just left their development team in Mac in Cupertino. We are from the same region in finance (NYC). You cannot afford to be that arrogant to business users in our area. That is why Apple is niche in it. You do test and support working sytuff or you are gone in no time.Updates and upgrades are rolled out in proper waves and timing - vendor can do this at any time but when something brakes they are "Johnny-on-thespot" and fix overnight or else. I know what was doen in Goldman Saxchs at the time an trust me even Microsoft had to bend and listen.
    I’m talking about macOS and security. Every single word you typed is raging, blathering idiocy, a sure sign of being an Apple hater who makes things up on the spot.  Your OPINION about Apple’s quality is laughable, literally laughable. 
    Well, Apple's QC has actually gotten worse. You cannot deny that. Still, everyone should definitely keep their Macs (and phones) updated. 

    In a production environment this may be different, but then again I'd never recommend running macOS there. That is a Linux domain.
  • Reply 9 of 11
    Since this hack occurs before anyone logs in to the computer, the OS version at the time of the hack will be whatever it shipped with. The user will have no opportunity to update until the enrollment is complete.
    IreneW
  • Reply 10 of 11
    blah64blah64 Posts: 993member
    scotius said:
    Since this hack occurs before anyone logs in to the computer, the OS version at the time of the hack will be whatever it shipped with. The user will have no opportunity to update until the enrollment is complete.
    Bingo! 

    Amazing, someone's very first comment on AI was actually insightful and worthwhile.  Thanks Scotius.
    edited August 2018
  • Reply 11 of 11
    blah64blah64 Posts: 993member
    lkrupp said:
    lkrupp said:
    Listen up all you users who refuse to update for various, usually irrational, reasons. Keep your damn systems up to date. The Apple discussion forums are full of posts from users wanting to roll back updates because something happened and they don’t want to troubleshoot the issue. “I just updated to macOS 10.13.6 and my printer stopped working. How do I go back to 10.13.4?” Or, “I updated to 10.13.6 and this third party game I downloaded six years ago doesn’t work anymore. How do I go back to plain old Sierra?”

    Well, you get the drift. 
    Yes. Spend your money on new hardware and replace something that has been working for long time. Do you actually work in Apple marketting department? You sound like you do.
    Apple has bad approach and low quality testing and coding these days and that is fact I found out from buddy who just left their development team in Mac in Cupertino. We are from the same region in finance (NYC). You cannot afford to be that arrogant to business users in our area. That is why Apple is niche in it. You do test and support working sytuff or you are gone in no time.Updates and upgrades are rolled out in proper waves and timing - vendor can do this at any time but when something brakes they are "Johnny-on-thespot" and fix overnight or else. I know what was doen in Goldman Saxchs at the time an trust me even Microsoft had to bend and listen.
    I’m talking about macOS and security. Every single word you typed is raging, blathering idiocy, a sure sign of being an Apple hater who makes things up on the spot.  Your OPINION about Apple’s quality is laughable, literally laughable. 
    You're still on your holier-than-thou rants, huh?

    If you don't work in the data security industry or a similar subset of IT, then I guarantee I know more about this than you do.  And Every single word you typed is raging, blathering idiocy, a sure sign of being an Apple hater lover who makes things up on the spot.  Your OPINION about Apple’s quality is laughable, literally laughable.

    See what I did there? 

    Stop projecting your own use cases on other people.  You do this all the time and it makes you look stupid.
Sign In or Register to comment.