Last Week on My Mac: Supply and demand

I’m in the market for a new Mac. My wife, who is naturally the Editor-in-Chief of this blog, has been getting along using an old white MacBook running OS X 10.6.8, but needs a new hand-me-down in the form of my slightly younger MacBook Air, which in turn needs to be replaced by something capable of getting more from High Sierra.

Last week, when I started browsing Apple’s UK store, I was left feeling rather puzzled. If I wanted any of the standard configurations of either MacBook or MacBook Pro, I could have it delivered the next day, or pick one up at our nearest physical Apple store in a few hours. But the moment that I wanted something built to order, say with an i7 processor or larger SSD, I’d have to wait three weeks for collection or delivery.

The thought did occur to me, in a twinkling of irrational optimism, that this might be because Apple was starting to fit processors which had been ‘fixed’ from Meltdown and Spectre vulnerabilities. Of course we have many more months or years to wait before that might begin to happen, and will have to suffer another few rounds of software mitigations yet, until some sections of code will have been patched repeatedly like a very old pair of jeans.

By coincidence, at the same time that I was making a mental note to revisit the MacBook purchase in a few weeks time, a friend asked me whether there was any chance of those vulnerabilities being addressed in replacement processors in the immediate future. He too is looking to buy a new Mac, and wondered whether waiting a little might be worthwhile.

I reassured him that there was still no evidence that Meltdown or Spectre were being exploited in the wild yet. I ventured that, at least for the time being, such exploits would appear improbable because of their difficulty. So long as there are easier pickings to be made, Meltdown and Spectre looked unlikely choices for the malware author.

This is the big problem with Meltdown and Spectre: yes, they are very serious and pretty fundamental security problems, which processor manufacturers should have addressed long ago, or shouldn’t have allowed to happen in the first place. But ‘even’ Macs have far more attractive vulnerabilities, which can be exploited more reliably. The only plausible reason for a malware developer wanting to exploit Meltdown or Spectre would be the kudos of being the first.

We’re only seven weeks into the year, and we have already seen a succession of conventional malware. Yet the press has largely obsessed over Meltdown and Spectre, rather than bringing home the simple lessons reinforced by the likes of OSX.CreativeUpdate (or OSX.Mudminer.A if you prefer Apple’s term). I can’t point to any statistics, but strongly suspect that the majority of Macs in use have no defences against malware apart from those built into macOS.

From the timeline of this release of OSX.CreativeUpdate, we now know that the first conventional anti-virus product, Malwarebytes, was able to detect and remove the infection about a day after malware release. That was an excellent achievement by Thomas Reed and the Malwarebytes team, but was reactive rather than pre-emptive.

Apple’s macOS security data update wasn’t built for another week, and wasn’t installed on many Macs until nearly two weeks after first appearance of the malware.

During its installation, OSX.CreativeUpdate writes a new property list file in ~/Library/LaunchAgents, to attempt persistence. This type of behaviour is such common practice in malware that it could almost be diagnostic. Except that software vendors who want us to let their products download and install silent updates – Adobe springs to mind – do essentially the same thing.

None of this is new or exciting, so as Meltdown and Spectre continue to haunt the headlines, the general and specialist press yet again don’t draw attention to the simple things that users should be doing to protect themselves from both novel and established malware attack.

I have just looked at how you can use some anti-malware products, and general software tools, to keep an eye on changes made to LaunchAgents and LaunchDaemons folders. Without such tools, as Apple persists in hiding the ~/Library folder from view, there is no easy monitoring or protection in macOS. Patrick Wardle drew attention to these and other issues some years ago, and I and others have repeatedly warned of the dangers.

As with so many hazards, the more novel and intangible the threat, like radiation, the greater attention it attracts; the older and more physical the threat, like drowning, the less we seem prepared to do about it, or even become concerned. Just as we are generally much more likely to drown than to die of radiation exposure, our Macs are more likely to be affected by traditional malware which abuses LaunchAgents and LaunchDaemons folders, than one which exploits Meltdown or Spectre.

Shouldn’t we all want to see more being done in macOS to keep a watch on these vulnerable folders, and warn us of potential novel attacks?