Enterprises should install Apple’s latest macOS Big Sur 11.3 update to secure their Macs. I spoke with Jamf Mac security expert Jaron Bradley, who explained why.
Install macOS 11.3 immediately
Enterprise users running fleets of Macs should get their IT support teams to approve the installation of Apple’s macOS Big Sur 11.3 update as swiftly as possible; the update should protect Macs against a serious software vulnerability that places data at risk.
As first spotted by Cedric Owens (and subsequently heavily researched by Jamf), the malware — a new version of a known Shlayer vulnerability — spreads in the following ways:
- Through compromised websites.
- Via poisoned search engine results in which criminals create web pages with content tailored to appear in results for common queries.
- By way of fake app installers or updaters.
When exploited, the vulnerability allows unapproved software to run on Macs and can enable attackers to access personal data. What makes this threat more serious is that none of the Mac’s defensive tools, including Gatekeeper, Notarization, or File Quarantine can prevent it, unless they’re updated to macOS 11.3.
Enterprises users should be aware that the security team at Jamf found hackers have been exploiting the vulnerability since Jan. 9. Jamf has published an in-depth explanation of the malware and how it works. Owens has an explanation as to how he was able to weaponize the flaw, which is available here.
Within five days of being told about the problem, Apple moved to rectify it with macOS 11.3. With this update, users attempting to install the malware will be told it “cannot be opened because the developer cannot be identified.” They will also be urged to delete the installer.
The fact the malware can push past existing Mac security should be seen as a warning to enterprise users to keep their Macs updated.
Q&A with Jamf
I spoke with Jaron Bradley, manager for macOS detections at Jamf, to find out more concerning this latest threat. Bradley’s not-surprising advice for enterprises: install macOS 11.3 “as soon as possible.”
What’s the most Interesting thing about this malware?
“The most interesting thing about this malware is that the author has taken an old version of it [Shlayer] and modified it slightly to abuse a bug [that] allowed it to bypass security features on macOS,” Bradley said.
How broad is this threat?
“The earliest Shlayer sample that we’ve discovered using this technique was reported on January 9th, 2021. The number of users impacted by this specific variant is not currently known, but a Kaspersky report stated that in 2019 1 in 10 users was infected by Shalyer. Those numbers are old at this point, but Shlayer continues to be one of the most active and prevalent malware families for macOS.”
What is the typical victim profile?
“Unknown users may stumble upon it by visiting legitimate websites that have been hijacked, which may ultimately redirect them to a new site hosting the malware. It is also commonly spread on pirating sites posing as free cracked software or sites that play pirated videos. Users are often prompted by the website to install it to watch the expected video.”
How can you tell if you or an employee are affected?
“For companies looking to protect their employees, we at Jamf would encourage running third-party security software capable of detecting these types of attacks. For technical users who want to know if the vulnerability that Shlayer abuses has been used on their Mac, Patrick Wardle at Objective-See released a free tool that can perform such a check.”
How did this attack get through?
“Apple makes many updates to their complex security features on a regular basis. At some point, one of these complex updates created an unintentional bug that allowed attackers to bypass many security features on the operating system.”
How can you mitigate the threat?
“The vulnerabilities that this malware abuses can be mitigated by upgrading to macOS 11.3. Apple has also updated their built-in anti-virus engine that now catches additional variants of Shalyer malware when identified.”
And what’s your best-practice advice for future security awareness?
“Jamf recommends a patch-fast-and-patch-often type of policy. When updates that fix large bugs come out, it’s best to install them as soon as possible.”