Network-assessment

iPhones are probably Apple’s most popular product, but a lot of people also use Mac computers, especially if they work in a creative industry like video production 0r just want to look cool at the local coffee shop. But the truth is, those pricey MacBooks aren’t perfect—and even though seem to get thinner and lighter after each generation, they suffer from some very real problems.

Like what?

In order to make 2015-2017 model MacBooks, as well as 2016-2017 MacBook Pros, as thin as possible, Apple has designed them with what they call “butterfly” keys. Basically, this term refers to the physical mechanisms underneath the keys that register a “press” to the system. They are tiny and fragile, even more so than in previous MacBook and non-Mac laptop built-in keyboards for an ultra-thin design. Not only does the keyboard look sleek, you can barely feel the depression of a keystroke.

But unfortunately, that design has been prone to many physical problems. A speck of dust under a key can jam up the workings, and even if you store your MacBook in an immaculate, dust-free environment, keys have still be reported to feel “sticky” and incapable of responding consistently to use—even when working with a fancy $10 latte.

Fortunately, Apple has tried to fix the problem and are now offering customers who have a MacBook with a defective keyboard to get a repair free of charge for four years after the first retail sale of the unit. That doesn’t extend any existing warranties, however, and the MacBook must be repaired by Apple and not by a third-party repair shop.

So that’s a physical problem. But sometimes Macs have cybersecurity problems too…

Like what?

Dropbox is a cloud-based backup service that many individuals and businesses use. This past winter, they announced they were conducting some security testing exercises with their partner, cybersecurity firm Syndis. Syndis discovered some pretty worrisome security vulnerabilities pertaining not only to macOS (the Mac operating system), but also to Apple’s Safari web browser, even the version of Safari running on iOS! (There was a version of Safari for Windows which was discontinued in 2012.)

The security testing of Syndis is what we, in the industry, call a penetration test, or “pen test” for short. It’s when cybersecurity professionals have the permission of a business or an organization to try and attack their network, as if they were a real cyber attacker. Sounds a little scary, but it’s a great way to locate security problems that need to be fixed—the sooner the better! The permission part is absolutely crucial, because doing a pen test without permission isn’t actually a pen test, it’s good, old-fashioned illegal attack.

Lengthy legal agreements are made between pen testers and the company about how they will try to simulate cyber attacks on their network. This testing is often done in different ways—like using a combination of remote attacks through their network; social engineering attacks trying to fool employees into granting unfettered access; and tests of the physical security protecting the server room.

Here are the security problems that Syndis found…

Many discovered cybersecurity vulnerabilities are recorded into the Common Vulnerabilities and Exposures database, CVE for short. Security problems in the form of both software and hardware, from every brand you can imagine, are recorded there. When cybersecurity experts talk about a specific safety problem in a certain piece of software, they will often refer to it by the identification number assigned by the CVE.

The first of these macOS vulnerabilities Syndis discovered is CVE-2017-13890, and it’s described this way: “An issue was discovered in certain Apple products. macOS before 10.13.4 is affected. macOS before 10.13 is affected. The issue involves the ‘CoreTypes’ component. It allows remote attackers to trigger disk-image mounting via a crafted website.”

Okay, here’s what that means. If you surfed the web within OS X El Capitan 10.11.6 or macOS Sierra 10.12.6, you could be vulnerable to a cyber attacker’s website. Many macOS applications are in the .dmg file format, which is essentially a “disk-image” like the data on a DVD, but entirely on your Mac’s hard drive. When you execute a .dmg file on your Mac, it’s like putting an app’s DVD in, but without the need for the DVD or your DVD drive. Most of the .dmg files that you use with your Mac are good, safe software. But a remote cyber attacker could exploit a vulnerability that would allow them to execute a malware disk-image on your MacBook from their booby-trapped webpage. And this malware disk-image could accomplish many malicious activities, including permission for a cyber attacker to gain complete control over your system!

Next, there’s CVE-2018-4176: “An issue was discovered in certain Apple products. macOS before 10.13.4 is affected. The issue involves the ‘Disk Images’ component. It allows attackers to trigger an app launch upon mounting a crafted disk image.” This problem is similar to the other one. If a cyber attacker gets a malware disk image onto your Mac through the web vulnerability or some different vulnerability that doesn’t pertain to the web, they can launch the malware app. The malware app could cause a lot of harm, including allowing the cyber attacker to control your Mac remotely, spy on your activities, or be ransomware which locks your files away from you unless you pay the attacker lots of money!

Then the third vulnerability is CVE-2018-4175: “An issue was discovered in certain Apple products. macOS before 10.13.4 is affected. The issue involves the ‘LaunchServices’ component. It allows attackers to bypass the code-signing protection mechanism via a crafted app.” This one is a little different, even though the results can be just as bad. Code-signing is a security mechanism in some software that tells your operating system, such as macOS, that an application is safe and legitimate software from a reputable developer and not malware. This vulnerability allows a cyber attacker to bypass that safety check, so they can execute all kinds of malware on your Mac.

Macs need their security updates too.

The good news is, Apple has patched these vulnerabilities back in March, about a month after Syndis reported them the corporate giant. If you use OS X El Capitan 10.11, macOS Sierra 10.12, or macOS High Sierra 10.13, and you automatically install all of the security updates Apple sends to your Mac, you should be fine. At least as far as those specific problems are concerned!

This story should remind people that contrary to what some people think, all OSes have security problems and are susceptible to malware. Not only Windows, but also macOS, Linux, iPhones, and Android phones. Make sure your computer or phone installs the security updates it receives, run antivirus software, check for vulnerabilities, and practice wise internet use!

#

Share this article

Network-assessment

Worked in a variety of IT roles until cybersecurity captured her intrigue after resolving a multitude of different malware problems for clients. Concurrently with computer technology, she enjoys creative writing and even won a few writing contests as a child. Over the years, these interests have segued into a successful blogging career. She enjoys reading novels and biographies, console gaming, lurking in web forums, alternative fashion and listening to jazz, funk, and goth music.

Post a comment