Where do Apple’s recent security updates leave macOS?

This week has seen a couple of surprise updates from Apple: on Tuesday, it pushed an update to XProtect’s data files, bringing them to version 2101; the very next day it pushed an update to its malware removal tool MRT, bringing it up from version 1.35 to 1.38.

The last time that Apple updated detection signatures in XProtect was 13 March 2018, in version 2099. Since then, it has only updated the minimum acceptable version number for Adobe’s Flash Player to run.

MRT’s last version was pushed on 19 June 2018, and there has been no sign of the missing versions 1.36 or 1.37.

Unlike XProtect’s data files, which are in plain text so readily readable, MRT is supplied as a closed app. Looking through its string content shows that version 1.38 does bring significant additions. However, while Apple used to use generally-recognised names for the malware detected and removed, the binary code in MRT now uses cryptic internal code names, making it effectivelly impossible to know what changes have been made in terms of protection.

Meanwhile, Apple’s programme to get all third-party apps which aren’t shipped through the App Store checked and notarized is gathering pace. Apple has announced that in the Spring of 2019, it will make the first launching of notarized apps more distinctive than it is at present. It is still on course to require all apps with third-party certificates either to be supplied through the App Store or to be notarized.

That means that at some time, probably in 2019, macOS will cease running newly-installed apps which rely only on a developer signature. Apple hasn’t announced when that will occur, but it is generally thought that it will be introduced in macOS 10.15.

Meanwhile it is rumoured that malware authors are exploring how they can circumvent additional security imposed by notarization, either by exploiting bugs which might allow non-notarized apps to run as if they had been notarized, or by cheating Apple’s scrutiny and getting malware notarized.

One significant area which Apple has yet to address is the notarization of command tools. Although command tools can have security certificates attached, most don’t and macOS seems quite happy to run them without. I believe that it may now be possible to get command tools notarized, but this isn’t (yet) a regular feature of Xcode, and I don’t know of any command tools which are now notarized.

Another issue which Apple seems to be addressing is the need for users to be able to run their own un-notarized apps, such as those built using Automator and AppleScript. Its wording in respect of the future requirement for notarization appears to limit that to apps built by others. It seems likely that user-built apps will be self-certified and not need to undergo any process such as notarization.

So where does this leave users as far as built-in security protection is concerned?

If you’re not yet running Mojave, then MRT is clearly still being supported, but it looks like Apple has abandoned the Yara-based signature checks of XProtect. Because your macOS cannot check whether apps have been notarized either, if you install apps which originate from outside the App Store or thoroughly secure sources (such as Microsoft, Adobe), then you shouldn’t expect macOS to protect your Mac from malware. Chances are it won’t. You should now be looking at a good anti-malware product such as Malwarebytes, if you don’t already use one.

If you’re running Mojave, the situation isn’t as clear cut. If you install software which isn’t notarized from sources which could have been hacked or might even be malicious, then you clearly need additional protection, at least until notarization becomes mandatory. It’s always possible to get caught by a malicious website or online exploit, but again the chances of that happening depend greatly on the sites that you visit, the online activities you engage in (cryptocurrency trading has been targeted), and your susceptibility to exploitation (which we always underestimate).

It is – and always has been – true that good third-party anti-malware software is important for Macs. Whether you need it is a matter of risk assessment. Simply assuming that running the latest version of macOS will protect you is dangerous, and everyone using an older version should think again whether their protection is now sufficient.

7Comments

Add yours

1

Michele Galvagno on December 14, 2018 at 10:32 am

Thank you for your advices!
Could you please point at were to find instructions on how to notarise one’s own app?

I use Malwarebites for my own protection as it has been difficult to find something else that is not killing your system while protecting it.
I normally am very careful about what I install but, is there some other anti malware you would suggest?

LikeLiked by 1 person
- 2
  
  hoakley on December 14, 2018 at 10:55 am
  
  Notarization is only currently straightforward when the app is built in Xcode. The Xcode help explains how to go through it, starting with the Archive process. You need Xcode 10 to do this. There are command tools which can do this for other apps, but the process is more complex then. It isn’t yet offered in Script Editor or Automator, I don’t think, and I’m not sure that it will be offered there as an option.
  Malwarebytes is good: for regular protection, it is one of the best. You may wish for additional tools, for which I recommend those of Objective-See. They’re a bit more technical, but cover issues which general protection can’t.
  Howard.
  
  LikeLiked by 1 person
3

B. Harris on December 14, 2018 at 1:07 pm

What do you recommend for applications like Keyboard Maestro, BBEdit, Anaconda Python, etc., that aren’t distributed through the App Store? Does Apple seem to have plans to incorporate those types of applications into the store?

LikeLiked by 1 person
- 4
  
  hoakley on December 14, 2018 at 1:17 pm
  
  No: Apple recognises that the App Store shouldn’t be the only way that Mac software is distributed. Its rules make that impossible, and there is no excuse (as there is on iOS) to try that. That is where notarization comes in.
  Any macOS developer with a developer certificate can get their apps notarized. It is a free service, and (apart from the rare glitch) is accomplished in just a few minutes. Almost all my free apps available in Downloads above are now notarized, although several do things which the App Store expressly forbids.
  I think that BBEdit is now on its way into the App Store anyway: it may be that the App Store version is limited in what it can do, but there should be no reason that it can’t also be available in a full-power version with notarization outside the store, as several other apps like GraphicConverter already offer.
  Some people have seen this as Apple trying to force all apps into the App Store, or shut down independent distribution. That couldn’t be further from the truth.
  Howard.
  
  LikeLike
5

Ian Weir on December 28, 2018 at 11:11 am

https://arstechnica.com/information-technology/2018/12/4-months-after-its-debut-sneaky-mac-malware-went-undetected-by-av-providers/

LikeLiked by 1 person
- 6
  
  hoakley on December 28, 2018 at 6:28 pm
  
  Thanks.
  It can be very hard to respond to this type of malware, especially when used sparingly in targeted attacks. XProtect and MRT may not be the best tools to tackle it, and until samples become available and its mode of spread understood, it can be a tough challenge.
  But it’s not the only such targeted malware this year. Roll on notarization!
  Howard.
  
  LikeLike
7

Updated List of macOS 10.14.5 - 10.15 Notarization Links & Info on September 4, 2019 at 2:40 am

[…] Where do Apple’s recent security updates leave macOS? – 12/14/18 […]

LikeLike

Share this:

Related