hoakley July 27, 2022 Macs, Technology

The State of Mac Security

It’s now the ‘silly season’ in the northern hemisphere, that period of a month or more when most people are away from the office. Apart from those Apple engineers still working hard to get Ventura and other new operating systems ready for release in the autumn/fall, all goes quiet. Over the last few months, much has changed in Mac security. This is the ideal chance to catch up before the pace picks up again in September.

macOS updates

A week ago Apple released its latest round of updates to supported versions of macOS.

If all goes according to plan, macOS 12.5 will be the last update to Monterey containing general bug fixes and enhanced features. Although it still didn’t address a remaining serious memory leak, as far as I can see all other serious bugs have now been addressed, together with another fifty security vulnerabilities. If you’re intending to remain on Monterey for the time being, or to upgrade to it, now’s a good time to schedule that.

For those remaining on Big Sur, the update to 11.6.8 also brought plenty of fixes for vulnerabilities. However, Catalina Security Update 2022-005 is likely to be its last as it slips into a quiet retirement. If your Mac can be upgraded to Big Sur or later, this is the time to plan that move.

The next scheduled macOS updates are most likely to coincide with the release of Ventura, and should consist of 12.6 and 11.6.9, both pure security updates.

Malware protection

Although Apple runs its security engineering teams 24/7, August is also usually a quieter period for significant updates to bundled protection tools. This year is likely to be different, though, as those are in the midst of change.

XProtect was last updated to version 2161 on 30 June, and may well see another update before September, but MRT hasn’t been updated since 29 April, when it reached 1.93. That’s most probably because Apple has shifted emphasis to a new set of tools in XProtect Remediator, which appear set to take over from MRT most likely with the release of Ventura. At present, Apple hasn’t provided any version of that new suite of tools to run on macOS earlier than Catalina.

XProtect Remediator has been the centre of attention: since it was updated to version 62 on 17 June, it has had a further three updates to reach 67 on 21 July. It has grown from 7 executable modules in version 2 to 12 in the current release.

Those still running Mojave and earlier must now be looking anxiously at what the future holds for both MRT and XProtect. Without further timely updates to those tools, old versions of macOS are likely to become increasingly vulnerable to attack. This is an appropriate time to reconsider your security, and whether you need to augment what comes in macOS with a little extra.

Update reliability

There are widespread reports of increasingly unreliable macOS system and security data updates too. Just because Software Update might reassure you that “your Mac is up to date” doesn’t mean that it is fully up to date at all. This applies particularly to security data updates including XProtect and XProtect Remediator, most of all when you’re running a local Content Caching server.

Before you run away for some well-earned relaxation, check that your Macs haven’t quietly fallen behind with those updates. This is simplest using one of my free utilities like SilentKnight, but if you want to check for yourself it’s easy to work through the apps and bundles in /Library/Apple/System/Library/CoreServices, or in earlier versions of macOS /System/Library/CoreServices. If you’re running a Caching server and can’t seem to get updates to install properly, disable the server before looking for and installing those updates. I have other tips here to help get your Macs updated.

Third-party protection

If you do decide that you need to augment the security protection in macOS, we’re fortunate in having a treasure-chest of free security utilities provided by Objective-See. When you download those products, please take the opportunity to contribute to ensure they remain free to use in the future.

There are also commercial security products, of which I have little experience. My first stop remains Malwarebytes, but I’m sure there are others worth looking at if you need.

Have a great silly season!

12Comments

Add yours

1

Macintoshista on July 27, 2022 at 6:48 am

Another excellent article re macOS security! As an alternative to MWB, I’ve noticed that DetectX Swift has been getting good write-ups recently.
https://sqwarq.com/detectx/

LikeLiked by 1 person
- 2
  
  hoakley on July 27, 2022 at 8:41 pm
  
  Thank you.
  Although I have used DetectX Swift in the past, I note that its current version 1 isn’t being developed any further, pending the release of version 2. Perhaps it would be better to wait a bit?
  Howard.
  
  LikeLiked by 1 person
3

bwillius on July 27, 2022 at 7:22 am

My Acronis backup calls itself now Acronis “Cyber Protect”. So far it protected me from some harmless test emails. Are there any test reports available on Acronis/Malwarebytes and the like? I haven’t a clue what these apps really protect against.

LikeLiked by 1 person
- 4
  
  brightlondon on July 27, 2022 at 12:55 pm
  
  A couple of sites I have looked at in the past:
  https://www.av-comparatives.org/tests/mac-security-test-review-2022/
  https://www.av-test.org/en/antivirus/home-macos/
  The first of those does at least describe their methodology.
  How they compare to or complement XProtect Remediator, I have no idea!
  
  LikeLiked by 1 person
  - 5
    
    hoakley on July 27, 2022 at 8:49 pm
    
    Thank you.
    No one outside Apple knows exactly what XProtect Remediator does, nor what malware it deals with. Neither do we even know how active it is at present, or whether it’s still in ‘trial’.
    Howard.
    
    LikeLike
- 6
  
  hoakley on July 27, 2022 at 8:44 pm
  
  Having in the past tried to perform tests on such products, I know that it isn’t easy. The biggest problem, of course, is that any test can only assess their performance on malware of the past, which isn’t necessarily any indication of how they will perform on the malware of the future.
  Currently I don’t use any third-party protection, apart from Objective-See utilities.
  Howard.
  
  LikeLike
7

Martin on July 27, 2022 at 9:11 am

I still have a couple of Macs running macOS Mojave. On those Macs I run Little Snitch, MalwareBytes, BlockBlock, and RansomWhere, as well as uBlock Origin in medium mode which blocks scripts in addition to ads.

Wouldn’t those security enhancements be more than enough to offset the lack of further security updates from Apple?

I feel like my Mojave Macs are very well protected. Any malware that tries to call home is going to be blocked by Little Snitch. BlockBlock along with some custom folder alert scripts warn me about apps or processes trying to install files in the various startup folders. MalwareBytes and RansomWhere can block other processes. And uBlock Origin goes a long way to protecting my Mac from potentially malicious or compromised websites.

LikeLiked by 2 people
- 8
  
  hoakley on July 27, 2022 at 8:47 pm
  
  Thank you.
  This all depends on your personal risk assessment, which is largely determined by what you do with your Macs. I do still keep Mojave available, but only in a VM, and won’t use that in positions of exposure, such as browsing unknown websites.
  I’m also a firm believer in reduction of vulnerabilities rather than relying on detection. The best defence against attack is to have a small attack surface through the primary protections in the OS.
  Howard.
  
  LikeLike
9

G.J. Parker on July 27, 2022 at 5:17 pm

‘silly season’- was expecting a reference to Monty Python. Darn.

But thanks for SilentKnight- very easy to check if a system is, in fact, current. Thank you for that and articles like this.

LikeLiked by 1 person
- 10
  
  hoakley on July 27, 2022 at 8:49 pm
  
  Thank you.
  Howard.
  
  LikeLike
11

markbot2zero on July 29, 2022 at 5:41 pm

Thank you, Howard.

1. Patrick Wardle’s “The Art of Mac Malware” is available here: https://taomm.org/

As you’d expect, it’s well written, organized and fascinating. Given that it’s free, and that his company is non-profit, you can make a Patreon donation for as little as two dollars (US) a month, to help him continue his work.

2. I recommend Virusbarrier Scanner, free from the Mac App Store, to all my clients. I tell them to run it once a month or so, more often if they’re getting hits — and I ask them to contact me if they do. It’s basic on demand scanning, no “real time” protection. I try to teach my clientele that *they*, with brains switched to the “ON” position, are the real time malware protection.

3. I’m also a paid up user of DetectX Swift. I’m not even sure what it does, and I’d like to know how it compares to Malwarebytes. I recently installed the latter, with some misgivings, on my MacBook Pro. I don’t *want* its realtime protection, which supposedly turns off if you don’t pony up the money to keep it. But I don’t like the idea of leaving residuals around, unused.

Which gets me to a question, Howard. Is it possible, when examing a .pkg, to determine exactly what the installer installs and where?

Thank you and best regards.

-Mark

LikeLiked by 1 person
- 12
  
  hoakley on July 29, 2022 at 10:17 pm
  
  Thank you.
  I don’t trust any anti-malware product available from the App Store. The requirements for apps sold from the app store, such as sandboxing, make it impossible for an app to do a complete job of scanning and protection. There are some narrow exceptions, for instance with browser plugins, but for general protection I don’t think an App Store can do a proper job.
  At present, DetectX Swift is end-of-line on version 1, and waiting on version 2. For the time being, I think it’s better to use another product if that’s what you need.
  The best tool for inspecting Installer packages is Mother’s Ruin’s Suspicious Package. It lets you inspect the scripts the package runs, although there are ways of working round that. The only definitive test is to run the package in an instrumented VM, something increasingly easy and cost-free.
  Howard.
  
  LikeLike